w 


AO-A102  373  NAVAL  POSTGRADUATE  SCHOOL  MONTEREY  CA  p/e  5/i 

A  PROPOSED  FLIGHT  SAFETY  PROGRAM  FOR  THE  KOREAN  AIR  FORCEi(U) 

MAR  81  C  K  LEE 

UNCLASSIFIED 


NAVAl  POSTGRADUATE  SCHOOL 

Monterey,  Celifemio 


UNCLASSIFIED 


sacumrv  cuamixcatww  orrMis^AOiraiMaOataSnM*^ 


1  REPORT  OOCUMENTATION  PACE 

READ  mSTRUCTfONS 

MFORB  COMPLETtNO  POEM 

iiMIHHHi: 

A.  TITI.C  tm9  SuAMIIa) 

A  Proposed  Flight  Safety  Program  for  -n 

the  Korean  Air  Force  g 

4.  TYNS  OP  NCNONT  4  ncmoo^ovf  nco 

/jester's  thesis^  ^ 
/^r  eh  1981 —  ^ 

4.  PCNPONMIMa  ONO.  aiNONT  NUNOCN 

7.  AuTMONfai 

Chong  Kwan^Lee 

4.  NINAONMINa  ONOANIXATION  NAMC  ANO  AOOai44 

Naval  Postgraduate  School 

Monterey,  California  93940 

10.  ^HOOJIAM  tlalMCNT,  OHOJCCT.  TASK 

AAf  A  *  R10MK  UNIT  NUMMNS 

li)  1 

n.  contnollimo  orriex  MAN!  ANO  AOQRgt4 

Naval  Postgraduate  School  (H 

Monterey,  California  93940 

'‘1*.  humoseop  PAoca' 

135 

lA.  mONITONINS  aOCN^V  NAMC  4  AOORC44flt  Atftaaani  (aaai  Canmlllng  OMe»» 

14.  agCUNITY  CI.A44.  raf  lAla  rANanj 

Unclassified 

\%m,  OtCLAtSlPlCATiON/OOVNOKAOlMG 
SCHCOUIaC 

14.  MSTNiauTlON  aTATIniMT  (9l 


Approved  for  public  release;  distribution  unlimited. 


17.  OISTNI«uTION  ITATgMINT  (»l  M«  akaMC*  «n<«r*4  M  «f«c*  29,  II  9tlHmtl  «n«  JIarwt; 


<4.  SUI>^«.BMKNr«NV  MOTK 


)t.  KEY  WONOt  (Cmulmnm  an  ravaraa  a<«a  11  naaaaaarr  M  *r  Maa*  niitar; 

Flight  Safety 


M.  AUTHACT  rCaNIInMa  an  ravaraa  a(4a  If  naaaaaair  «n4  I4aniifr  Af  MaaA  w*ar> 

^Several  methodologies  relevant  to  the  development  of  a  safety 
program  for  the  Korean  Air  Force  were  reviewed.  Methodologies 
considered  included: 


2) 

3) 


DO 


Control  charts' 

System  safety  analysis^ 
Critical  incident  technique. 


1473  K0tn«N  0«f  I  NOV  4*  14  004eklT« 

l/N  OI4a>4U*t40t  I 


_ mOaAS.siFJFn  ^ 

ESeuMTV  eLA44irtCAriaN  or  rMI4  NAOI  (imm  Owa  OMaraN) 


aONM 

I  JAN  71 


#20  -  ABSTRACT  -  (CONTINUED) 


-^Data  collection  methods  applicable  to  accident  analysis 
were  proposed. 


Recommendations  for  the  incorporation  of  these  methods 
into  a  safety  program  for  the  K.A.F.  were  developed. 

The  safety  program  described  in  tlie  cuiieii^itHesis 


possesses  the  potential  for  reducing  overall  operational 
costs  and  maximizing  aircraft  availability.  The  end 
result  of  such  a  program  can  only  serve  to  increase 
operational  readiness  and  thereby  maximize  overall 
efficiency  and  military  capability  of  the  K.A.F.  - 


9  UNCLASSIFIED 

iil02-0l4-6€0l  ^  cuMiiwsATiew  »«• 


Approved  for  public  release;  distribution  unlimited. 

A  Proposed  Flight  Safety  Program 
for  the  Korean  Air  Force 

by 

Chong  Kwan  Lee 

Major,  P^public  of  Korea  Air  Force 
Graduate  of  Korean  Air  Force  Academy,  1971 


Submitted  in  partial  fulfillment  of  the 
requirements  for  the  degree  of 


MASTER  OF  SCIENCE  IN  OPERATIONS  RESEARCH 

from  the 

NAVAL  POSTGRADUATE  SCHOOL 
March  1981 


Author 

.yp  y 

Approved  by : 

Thesis  Advisor 

Chairman^  Department  df  Operations  Research 

Dean  of  Information  and  Policy  Sciences 


3 


ABSTRACT 


Several  methodologies  relevant  to  the  development  of  a 
safety  program  for  the  Korean  Air  Force  were  reviewed. 
Methodologies  considered  included: 

1)  Control  charts 

2)  System  safety  analysis 

3)  Critical  incident  technique. 

Data  collection  methods  applicable  to  accident  analysis 
were  proposed. 

Recommendations  for  the  incorporation  of  these  methods 
into  a  safety  program  for  the  K.A.F.  were  developed. 

The  safety  program  described  in  the  current  thesis 
possesses  the  potential  for  reducing  overall  operational 
costs  and  maximizing  aircraft  availability.  The  end  result 
of  such  a  program  can  only  serve  to  increase  operational 
readiness  and  thereby  maximize  overall  efficiency  and 
military  capability  of  the  K.A.F. 


TABLE  OF  CONTENTS 


LIST  OF  TABLES -  6 

LIST  OF  FIGURES -  7 

I.  INTRODUCTION  -  9 

II.  LITERATURE  SURVEY  -  26 

A.  CONTROL  CHARTS -  27 

B.  SYSTEM  SAFETY  ANALYSIS  -  33 

C.  CRITICAL  INCIDENT  TECHNIQUE  -  58 

III.  STATEMENT  OF  PROBLEM -  64 

IV.  APPROACH  TO  MEASUREMENT  OP  FLIGHT  SAFETY  -  68 

A.  CONTROL  CHARTS -  68 

B.  FAULT  TREE  ANALYSIS -  72 

C.  CRITICAL  INCIDENT  TECHNIQUE  -  92 

D.  OTHER  STATISTICAL  METHODS  -  100 

V.  CONCLUSIONS/RECOMMENDATIONS  -  104 

APPENDIX  A:  BOOLEAN  LOGIC  AND  ITS  APPLICATIONS  -  110 

APPENDIX  B:  FAULT  TREE  DIAGRAM  FOR  CRITICALITY 

ANALYSIS -  112 

APPENDIX  C;  REPORTING  FORMATS  FOR  DATA  COLLECTION  -  119 

APPENDIX  D:  SAMPLE  FORMAT  OF  SYSTEM  SAFETY  HAZARD 

ANALYSIS -  129 

APPENDIX  E:  SAMPLE  TREND  CHART  -  130 

BIBLIOGRAPHY  -  131 

INITIAL  DISTRIBUTION  LIST  -  134 


5 


LIST  OF  TABLES 


An  Exeunple  of  Negative  Utility - 

Three  Proposed  Countermeasures  and 
Associated  Cost  - 

Three  Alternative  Cost/Benefit  Analyses  - 

Example  Data  for  Ranks  by  Pilots,  Flight 
Time,  and  Accidents  - 

K.A.F.  Accident  Rate  by  Year  - 

Material  Factors  by  Year  of  Accident 
(Major  and  Minor)  - 

Example  of  Supervisory  Factor  Reporting  Format 

Failure  Probability  - - - 

Sample  Cost  Effectiveness  Ranking  - 

Sample  Classification  of  Pilot  Error 
Experiences  - 


LIST  OF  FIGURES 


1.  Model  of  Mishap  Caused  by  Material 

Failure/Malfunction  -  11 

2.  Model  of  Accident  Involving  Pilot  Error  -  12 

3.  U.S.  Navy /Marine  Average  Cost  per  Major 

Aircraft  Accident  -  16 

4.  Safety  Program  Model -  l^ 

5.  An  Optimal  Level  of  Safety  Performance  -  18 

6.  Safety  Improvement  Flow  Chart  -  19 

7.  Organizational  Approach  to  Safety  -  23 

8.  Sample  Control  Chart  -  28 

9.  Sample  of  a  Safety  Control  Chart  Used  in  Statis¬ 
tical  Approach  to  Safety  Evaluation  -  30 

10.  Control  Chart  for  Example  Described  in  Text -  32 

11.  Example  of  System  Elements  in  Aircraft  Accidents  —  35 

12.  Systems  Development  Flow  Diagram  -  36 

13.  Event  Symbols  Used  in  Fault  Tree  Analysis -  ^2 

14.  Symbols  for  Logic  Gates  Used  in  Fault 

Tree  Analysis -  44 

15.  Levels  of  Fault  Tree  Development -  46 

16.  Fault  Tree  Illustrated -  52 

17.  Fault  Tree  Illustrated  the  Probabilities  Assigned  -  54 

18.  Classification  of  460  Errors  Made  by  Pilots  in 

Operating  Aircraft  Controls  -  61 

19.  Control  Chart  Applied  to  K.A.F.  Data  -  69 

20.  Acceptance  and  Rejectance  Region  -  71 

21.  Proposed  Information  Flow  for  R.O.K. 

Safety  Program - - - 3.08 


7 


ACKNOWLEDGMENT 


I  wish  to  extend  ray  sincerest  appreciation  to  Dr.  D.E. 
Neil  for  his  help  and  close  supervision  during  this  research 
report.  I  also  would  like  to  extend  ray  appreciation  to 
CDR  W.F.  Moroney  for  his  help  and  encourageraent . 


8 


I .  INTRODUCTION 


Safety  is  generally  recognized  as  an  essential  part  in 
overall  system  operation.  According  to  Lawrence  (1976)  safety 
can  be  defined  as  a  judgment  of  the  acceptability  of  risk. 
"Safety  is  the  minimization  of  injury  and  loss  resulting  from 
nondeliberate  acts  such  as  accidents  and  natural  calamities" 
(National  Safety  Council,  1973). 

A  function  is  safe  if  its  risks  are  judged  to  be  acceptable. 
This  definition  emphasizes  the  relativity  and  judgmental 
nature  of  the  concept  of  safety.  It  also  implies  that  two 
very  different  activities  are  required  for  determining  how 
safe  things  are; 

a.  Measuring  risk,  an  objective  but  probabilistic  pursuit. 

b.  Judging  the  acceptability  of  that  risk  ( juding  safety) , 
a  matter  of  personal,  social  and  economic  value  judgment. 

System  safety  is  required  to  prevent  injury  and  damage 
in  system  design.  Hammer  (1972)  in  his  Handbook  of  System 
and  Product  Safety  suggests  that  injury  or  damage  can  result 
from  four  fundamental  causes  or  combinations  thereof: 

a.  material  failure. 

b.  human  error. 

c.  adverse  characteristics  of  a  product. 

d.  unusual  environmental  conditions. 

Recently,  personnel  concerned  with  accident  prevention 
have  become  more  convinced  that  injury  or  damage  from  any 


9 


of  those  causes  can  be  prevented  or  lessened  through  good 
design  cuid  planning  (Figures  1  and  2)  .  Figure  1  suggests 
a  model  of  the  material  failure /malfunction  accident.  The 
approach  to  the  investigation,  analysis,  and  prevention  of 
mishaps  caused  by  material  failure/malfunction  is  FIRE 
(material  failure/malfunction,  system  inadequacy,  and  remedial 
measure) .  They  are  defined  as  follows; 

a.  A  material  failure /malfunction  (F)  is  a  component  or 
system  that  1)  ceases  to  operate  entirely,  2)  operates, 
but  not  as  designed  or  intended,  3)  operates  as  de¬ 
signed,  however,  operational  needs  require  enhanced 
perf ormeince .  A  material  failure/malfunction  is  con¬ 
sidered  for  analysis  only  when  it  is  judged  to  have 
caused  or  contributed  to  the  mishap,  not  resulted 
from  the  mishap. 

b.  A  system  inadequacy  (I)  is  an  element  of  the  aviation 
system  that  did  not  operate  as  intended  or  designed. 

An  I  is  assigned  only  when  it  is  judged  to  have 
caused,  allowed,  or  contributed  to  the  occurrence 

of  an  F .  More  than  one  I  may  be  assigned  to  a  given 
F. 

c.  A  remedial  measure  (RE)  is  an  action  required  to  correct 
or  at  least  reduce  the  operational  impact  of  an  I .  The 
RE  may  be  directed  at  any  command  level  for  implan¬ 
tation  and  is  not  to  be  restricted  by  current  tech¬ 
nology  or  budgetary,  personnel,  and  equipment  resources. 
More  than  one  RE  may  be  recommended  for  a  given  I. 

Figure  2  presents  a  functional  model  of  U.S.  Army's  Air¬ 
craft  Accident  to  the  pilot  error  accident  among  human  errors. 
Items  1  through  8  are  the  basic  elements  of  the  aviation  sys¬ 
tem.  When  one  or  more  of  these  elements  is  out  of  tolerance, 
an  overload  (Item  9)  is  placed  on  the  pilot's  system  role 
(Item  10)  in  that  he  must  continue  to  perform  his  normal  tasks 
while  correcting  or  adjusting  for  the  abnormal  system  condi¬ 
tion.  When  this  exceeds  the  pilot's  ability  to  cope  with  it 


Figure  1.  Model  of  Mishap  Caused  by  Material  Failure/ 
Malfunction  (G.  Dwight  Lindsey  and  William 
R.  Brown  [1979],  Appendix  F-.3) 


11 


Figure  2.  Model  of  Accident  Involving  Pilot  Error 
(Ricketson,  1974) 

or  occurs  at  a  critical  time,  he  makes  errors  (Item  11)  in 
his  normal  tasks  and/or  in  handling  the  abnormal  condition. 
Most  of  these  errors  slip  by  without  causing  an  accident 
(Item  12) .  But,  when  events  or  circumstances  operate  un¬ 
favorably,  the  error  leads  to  an  accident  (Item  13). 

This  approach  views  pilot  error  accidents  as  the  result 
of  the  pilot's  system  role  being  overloaded  by  inadequacies 
of  the  pilot,  other  systems  elements,  or  both.  Accidents 
describe  a  point  in  time  to  look  for  system  inadequacies . 

This  model  exemplifies  eui  attempt  to  approach  accident  causes 
from  a  "systems”  standpoint.  Research  has  indicated  that 
humem  error,  unlike  hardware  difficiency,  is  rarely  the  sole 
factor  in  an  accident.  The  applicability  of  this  functional 


12 


model  is  not  limited  to  pilot  error  accidents.  It  is  a  model 
that  may  be  used  in  any  evaluation  of  a  man-machine  system. 

The  most  commonly  designated  cause  of  accidents  is  human 
error.  In  the  past  decade,  more  than  70%  of  Korean  Air  Force 
aircraft  accidents  have  been  attributed  to  human  error 
(Aircraft  Accident  Data  of  Korean  Air  Force,  1980).  In  acci¬ 
dents  where  material  failure  is  recognized,  it  is  often  quite 
possible  to  continue  tearing  down  the  equipment  until  the  pre¬ 
cise  portion  that  failed  is  isolated  and  the  cause  of  the 
failure,  whether  it  be  corrosion,  stress,  faulty  load  con¬ 
ceptualization,  or  other  factors,  can  be  determined  and  rede¬ 
sign  proposed.  In  case  of  hximan  error,  however,  the  static 
statement  that  a  human  being  failed  provides  no  guidance  to 
future  improvement.  The  need  to  reduce  human  error  to  its 
basic  constituents  as  a  means  of  obtaining  insight  into  the 
causes  of  these  failures  has  resulted  in  various  approaches 
to  segmenting  human  behavior  for  analytical  purposes. 

According  to  Florio  cind  Stafford  (.1969)  ,  when  the  primary 
factor  of  an  accident  is  attributed  to  human  error  the  acci¬ 
dent  cause  may  be  classified  into  five  general  areas ; 

a.  Inadequate  knowledge. 

b.  Insufficient  skills. 

c.  Environmental  hazards. 

d.  Improper  habits  and  attitudes. 

e.  Unsafe  behavior. 

Each  of  these  areas  are  discussed  below: 


13 


Inadequate  knowledge .  Knowledge  is  the  foundation  for 
understanding  and  the  spring-board  for  the  development  of 
desirable  attitudes  toward  safe  behavior.  Ideally  every 
individual  should  learn  cind  appreciate  safety  rules.  Ade¬ 
quate  knowledge  is  vital  if  a  person  is  to  avoid  hazardous 
situations  and  react  properly  in  such  a  situation.  Also, 
proper  knowledge  enables  the  individual  to  recognize  and 
evaluate  dangerous  situations  (i.e.,  be  aware  of  tolernace 
limits  of  the  system) . 

Insufficient  skill.  Attempting  to  perform  tasks  beyond 
one's  ability  level  creates  high-risk  situations;  thus  skill 
level  is  an  important  determineint  in  accident  prevention. 

Skills  are  affected  by  many  things,  such  as  strength,  fatigue, 
attitudes,  emotion,  alcohol,  vision,  and  others. 

Environmental  hazards.  It  is  unrealistic  to  think  that  we 
can  create  a  perfectly  safe  environment.  Despite  our  ina¬ 
bility  to  control  our  environment  completely,  only  a  small 
percentage  of  accidents  are  strictly  attributed  to  environ¬ 
mental  factors.  Good  engineering  practices  with  good  design 
reduce  the  environmental  problems. 

Improper  habits  and  attitudes.  Every  worker  should  thoroughly 
understand  the  development  of  attitudes  and  their  possible 
modifications . 

Unsafe  behavior.  Unsafe  behavior  is  the  end  result  of  man's 
failure  to  develop  proper  habits,  attitudes,  and  knowledge 
concerning  safety.  Safe  behavior  entails  responding  correctly 


under  all  circuitistamces ,  and  avoiding,  when  possible,  high- 
risk  situations.  There  is  no  excuse  for  purposely  engaing  in 
unsafe  behavior. 

Accidents  are  the  result  of  many  proximate  and  casual  fac¬ 
tors.  These  factors,  or  variables,  interact  to  creat  unsafe 
acts  and  unsafe  conditions,  or  both,  which  cam  terminate  in 
an  accident  causing  injury,  death,  or  property  damage.  An 
unsafe  act  or  condition  alone,  or  in  some  combination,  if 
occurring  at  the  right  time  may  create  an  accident. 

It  is  axiomatic  that  effective  prevention  must  have  a 
focal  point  of  application.  This  implies  that  the  probable 
cause  of  future  accidents  can  be  predicted.  This,  in  turn, 
implies  that  the  causes  of  past  accidents  have  been  determined. 

The  cost  of  accidents  is  high.  In  the  past  decade  from 
1970,  the  cost  of  aircraft  accidents  in  the  Korean  Air  Force 
approaches  $50  million  (not  including  piloes) [Aircraft 
Accident  Data  of  Korean  Air  Force,  1980]  .  As  a  country  that 
has  small  numbers  of  aircraft,  this  represents  a  tremendous 
cost.  In  the  case  of  the  U.S.  Navy/Marines ,  the  total  acci¬ 
dent  cost  (Figure  3)  is  greater  than  the  K.A.F.  For  ulti¬ 
mate  efficiency  with  maximum  operational  readiness  and  minimum 
cost,  more  detailed  accident  prevention  programs  must  be 
followed.  Accident  prevention  is  best  pursued  within  the 
framework  of  a  systematic  program  (Figures  4,  5,  6) . 

Figure  4  represents  a  model  of  the  factors  that  may  be 
involved  in  carrying  out  a  system  safety  program.  Minor 


15 


Figure  3.  U.S.  Navy /Marine  Average  Cost  per  Major  Aircraft  Accident 
(24th  Annual  Meeting  of  the  Human  Factors  Society, 

Los  Angeles,  October  1980) 


^  I 

I  Pl 

hHii 

Hill 


r  ?  -  N 

mill 


ifiic 


If  I  I 

iUn,!  I  • 

lillllllill 


M;  i 

« s 15  rf 

UUla 


tl  M 

Jil 


II  111  N 


iHiiHHiM  li  n  H  1 


m 


111! 


*  - 1 
j  -1 


i=ii} 


j  =  >!=lli=)i=iiM  =  l 


1 15  _  s|g  _  ? ||  _  t|  _  I • 
-51?  -ii  - II 


I 


aiHiHiiiBmii 


Figure  4.  Safety  Program  Model  (Hammer;  Handbook  of  System 
and  Product  Safety,  1972,  p.  36) 


Figure  5.  An  Optimal  Level  of  Safety  Performemce 

(Industrial  Engineering,  Jan.  1976,  p.  20) 


18 


Figure  6.  Safety  Improvement  Flow  Chart 
(Industrial  Engineering,  March 
l§74',""p.^)  - 


19 


differences  will  exist  in  actual  practice  because  of  the 
different  organizational  structures.  However,  the  model 
indicates  broadly  the  process  that  takes  place. 

A  safety  program,  regardless  of  its  characteristics  or 
goal,  does  cost  money  and  require  time.  It  is  generally 
accepted  that  as  the  level  of  safety  performance  increases, 
the  better  will  be  the  chances  for  reducing  hazards,  and 
consequently,  the  frequency  as  well  as  severity  of  accidents. 
Beyond  a  certain  performance  level,  however,  the  expected 
reduction  in  hazards  starts  to  taper  off  and  will  not  be  of 
appreciative  magnitude  to  offset  the  cost  associated  with 
high  levels  of  safety  activities.  This  is  explained  well 
i:i  Figure  5. 

Figure  6  as  presented  in  the  overall  safety  improvement 
effort  through  the  accidents  reduction  approach,  includes  the 
following  basic  steps. 

a.  Field  data  assembly. 

In  this  step  operating  data  are  gathered  on  the  system 
to  be  amalyzed  to ;  acquaint  the  analyst  with  system  opera¬ 
ting  methods,  procedures  and  equipment;  cind  obtain  operating 
data  in  the  form  of  methods  auid  time  data  for  system  operations. 
In  addition,  accident  data  are  gathered  to  provide  a  basis 
for  identifying  accident  problem  areas  and  determining  poten¬ 
tial  accident  cost  savings. 

b.  System  definition. 

Flow  charting.  Functional  flow  charts  should  be  developed 
to  define  the  system.  The  charts  serve  as  a  guide  for  project 


members,  put  them  on  the  Scime  level  of  thinking,  cind  allow 
standard  methods  and  procedure  references  that  all  understand. 

The  charts  should  have  a  numbering  system  by  function 
to  permit  coding  of  accident  data.  The  codes  allow  quick 
reference  to  what  work  function  was  being  performed  when  an 
accident  occurred,  and  are  a  means  for  computerized  accident 
information  storage  and  retrieval. 

Accident  data.  All  accident  data  gathered  are  defined/ 
coded  by  work  fvinction  and  hazards  or  causes  assigned  to 
accidents.  Hazards  definition  is  needed  to  indicate  equip¬ 
ment  and  system  shortcomings  with  regard  to  safety. 

c.  Identifying  problem  areas. 

Once  hazards  and  safe  data  have  been  gathered,  they 
must  then  be  examined  for  safety  problem  areas.  The  problem 
areas  should  be  defined  so  that  concepts  may  be  readily 
developed. 

d.  Concept  development. 

Once  safety  problems  have  been  defined,  the  next  step 
is  to  develop  concepts  that  will  eliminate  or  protect  against 
hazards  and,  as  a  result,  reduce  accidents. 

e.  Safety  evaluation. 

The  effects  on  safety  are  determined  by  using  the  hazards 
exposure  data  and  estimating  the  reduction  in  hazards  exposure 
for  all  functions  attributable  to  a  new  concept .  The  hazards 
exposure  reduction  is  an  engineering  estimate  made  by  com¬ 
paring  current  machines/systems  with  those  proposed,  and 
noting  by  work  function  where  hazards  exposures  have  been 


21 


increased  or  decreased  and  by  how  much.  The  reduction  ex¬ 
pected  in  accidents  is  proportional  to  the  reduction  in  the 
hazard  exposure. 

£.  Recommendations. 

The  last  step  is  to  consider  evaluation  results  for  con¬ 
cepts  and  alternatives  and  make  a  decision  for  further  study, 
or  choose  the  most  attractive  alternatives  for  design 
development. 

There  are  certain  fundcimental  concepts  and  methods  that, 
if  properly  applied,  can  increase  the  probability  of  success. 
Accident  prevention  is  a  composite  of  many  related  functions, 
each  of  which  must  be  given  proper  weight  to  assure  a  balanced 
cuid  productive  program.  It  may  be  considered  a  closed-loop 
system  (Figure  7)  comprising  many  feedback  loops  in  which 
information  is  collected  by  the  responsible  agency,  is  appro¬ 
priately  processed,  is  systematically  analyzed,  and  then  is 
disseminated  to  those  in  a  position  to  make  use  of  the  infor¬ 
mation.  The  results  of  this  dissemination  are  reevaluated  in 
the  light  of  future  accidents. 

To  put  safety  in  its  proper  perspective,  it  must  be  first 
realized  that  safety  and  efficiency  are  products  of  each 
other.  That  is,  the  safe  establishment  is  efficient.  With 
this  in  mind,  safety  then  becomes  a  meinagement  problem  smd 
not  just  the  concern  of  the  foreman  or  the  supervisor. 

Petersen  (1978)  suggests  five  basic  principles  of  a  safety 
management  progreun.  These  are; 


22 


FIX 


PREACCIDENT  PLAN 


RECOMMENDATIONS 

DISSEMINATE 

ANALYZE 


ACCIDENT 

INVESTIGATE 

REPORT 


CLOSED  LOOP  FEEDBACK  SYSTEM 

Figure  7.  Organizational  Approach  to  Safety 
(Zeller,  1978) 


a.  An  unsafe  act,  an  unsafe  condition,  and  an  accident 
are  all  symptoms  of  failure  in  the  management  system. 

b.  Certain  circumstances  are  predictive  of  severity  of 
accidents . 

c.  Safety  should  be  managed  like  any  other  operational 
function . 

d.  An  effective  safety  program  will  provide  establishment 
of  responsibility  and  accountability. 

e.  The  function  of  safety  is  to  locate  and  define  the 
operational  errors  that  allow  accidents  to  occur. 

This  function  Ceui  be  carried  out  in  two  ways:  1)  by 
asking  why  accidents  happen — searching  for  their  root 
causes — and  2)  by  asking  whether  certain  known  effec¬ 
tive  controls  are  being  utilized. 


23 


Now  comes  the  problem  of  safety  measurement.  W.  Tarrants 
(1979)  discussed  this  problem  as  the  problem  that  has  existed 
since  the  very  beginning  of  organized  attempts  to  control 
accidents  and  their  consequences.  In  its  most  elementary 
form,  measurement  has  been  defined  as  "the  process  of  assign¬ 
ing  numerals  to  objects  according  to  rules"  (Stevens,  1951). 

When  we  apply  this  definition  in  the  safety  field,  we  are 
quiclcly  confronted  with  problems  concerning  what  "objects"  to 
measure  and  what  "rules"  to  follow. 

The  progress  eind  maturity  of  a  science  or  technology  are 
often  judged  by  whatever  success  has  been  achieved  in  the  use 
of  measures.  Measurement,  perhaps  more  than  any  other  single 
aspect,  has  been  the  principle  stimulus  of  progress  in  all 
professional  fields.  Measurement  is  the  backbone  of  any 
scientific  approach  to  problem  definition  and  solution.  With¬ 
out  adequate  measurement  in  the  safety  field  we  can  not  des¬ 
cribe  the  safety  state  of  our  operations  or  determine  whether 
or  not  our  safety  programs  are  really  accomplishing  anything. 
Sound  measurement  is  an  absolute  prerequisite  for  control  and 
both  are  necessary  for  prediction . 

The  present  thesis  effort  will  1)  perform  a  literature 
survey  of  the  techniques  to  measure  safety  which  are  applica¬ 
ble  to  measurement  of  flight  safety,  2)  emphasize  the  importance 
of  accident  data  collection  for  analyzing  them,  3)  refer  to 
K.A.F.  accident  data  currently  collected  whether  they  are 
applicable  or  not  to  measure  flight  safety,  and  finally 


24 


4)  suggest  methodology  to  collect  data  for  applying  each 
technique . 


25 


II .  LITERATURE  SURVEY 


It  has  become  apparent  that  there  are  many  problems  asso¬ 
ciated  with  defining  a  universal  criterion  for  safety  measure¬ 
ment  and  assessment.  One  of  the  chief  concerns  with  the 
conventional  standards  is  the  emphasis  on  accident  data. 

Many  now  recognize  that  this  is  more  a  reaction  to  existing 
problems  thcin  action  toward  prevention  or  control  of  future 
problems.  Although  experience  can  be  a  valuable  teacher, 
accident  experience  points  to  needless  loss,  and  too  often 
doesn't  give  sufficient  information  for  prevention. 

Personal  values  present  another  problem  in  safety  measure¬ 
ment  and  assessment.  Safety  attitudes  are  strongly  dependent 
on  the  personal  values  of  workers,  line  management,  and 
corporate  mauiagement;  effective  safety  measurement  techniques 
must  be  capable  of  addressing  this  behavioral  aspect. 

Applying  statistical  methods  to  the  population  of  events 
related  to  accidents  is  another  problem  area.  Predictions 
based  on  statistical  analyses  of  accident  data  have  been 
described  as  unreliable  due  to  the  combination  of  variables, 
rare  events  and  small  sample  sizes.  Often,  attempts  are 
made  to  by-pass  this  obstacle  by  combining  nonsimilar  events 
into  a  larger  population  universe. 

Among  the  methods  used  for  safety  measurement  are  included 
statistical  quality  control  techniques,  system  safety  analysis 
techniques,  critical  incident  technique,  learning  curve. 


26 


frequency  and  severity  rate,  safety  Scunpling,  double  average 
comparison  technique.  Here  the  author  will  describe  the 
methods  which  are  applicable  to  flight  safety  measurement. 

A.  CONTROL  CHARTS 

Greenberg  (1971)  suggests  that  the  techniques  of  statis¬ 
tical  quality  control  are  ready-made  tools  for  safety  analy¬ 
sis  because  the  safety  professional  has  common  problems  with 
the  quality  inspector;  both  would  like  to  be  everywhere 
simultaneously  to  detect  changes;  and  both  have  to  apply  some 
practical,  effective  approaches  to  their  problems.  Control 
charts  are  used  for  this  purpose.  According  to  Brown  (1976), 
a  control  chart  is  a  visual  means  by  which  an  analyst  judges 
whether  a  process  is  in  control  or  not.  The  measurement 
plotted  on  the  chart  are  those  of  any  random  variable.  Hence 
the  frequency  and  severity  of  accidents,  as  well  as  any  other 
intermediate  indicator  of  hazards,  could  be  plotted.  Judgments 
based  upon  these  plots  determine  if  the  process  is  in  control 
with  respect  to  the  random  variable  under  consideration. 

Figure  8  shows  the  typical  layout  of  a  control  chart. 

The  units  of  the  random  variable  are  given  on  the  vertical 
scale,  indicating  that  the  height  of  the  plotted  point  repre¬ 
sents  the  value  of  the  reindom  variable  for  the  indicated 
time  period.  The  time  scale,  given  by  horizontal  line 
shows  when  the  value  occurred. 

Measurement  of  central  tendency  and  spread  define  the 
expected  concentration  auid  range  of  the  variable .  Thus ,  if 


27 


Figure  8 .  Sample  Control  Chart 

(Brown,  D.B.  [1976],  p.  230) 


28 


the  variable  behaves  in  a  nonrandom  way,  we  can  conclude  that 
an  outside  influence  is  affecting  the  random  variable.  The 
common  way  of  identifying  when  this  occurs  is  through  the 
use  of  an  upper  and  a  lower  control  limit.  These  are  generally 
placed  at  equal  disteuices  above  and  below  the  mean  line. 

The  measured  values  as  they  are  recorded  in  time  are 
plotted  as  indicated  in  Figure  8.  A  point  falling  above  or 
below  the  control  limits,  respectively,  is  indicative  of  an 
out-of-control  situation,  and  assignable  causes  are  generally 
sought.  There  are  other  indications  of  out-of-control  situa¬ 
tions,  also.  However,  prior  to  discussing  these,  the  means 
for  obtaining  the  control  limits  will  be  given. 

The  procedures  for  setting  control  limits  are  essentially 
the  same  as  those  for  setting  the  acceptance  limits  in  a  test 
of  hypothesis.  The  first  step  involves  the  establishment  of 
significance  level  a,  that  is,  the  probability  of  concluding 
that  the  process  is  out  of  control  when  in  fact  it  is  in  con¬ 
trol.  If  methods  of  identifying  causes  are  expensive  and 
the  variable  is  not  critical,  a  low  probability  can  be  tolerated. 
However,  if  an  early  indication  of  lack  of  control  is  necessary, 
then  a  high  probability  of  this  error  should  be  specified. 

Once  the  value  of  a  is  determined,  the  next  question  involves 
the  definition  of  control.  Quite  often  the  state  "out  of  con¬ 
trol"  occurs  in  one  direction  only,  that  is,  upper  control 
limit  would  be  required  as  it  would  in  most  cases  of  pollution 
measurements  (Figure  9) .  Other  monitoring  of  processes  would 
require  both  an  upper  and  a  lower  control  limit. 


29 


Warning  Zona 


Figure  9.  Seunple  of  a  Safety  Control  Chart  Used  in 
Statistics  Approach  to  Safety  Evaluation 
(Industrial  Engineering,  Dec.  1975,  p.  20) 


In  either  case,  the  value  of  a  chosen  will  represent  the 
total  area  of  probability  in  the  out-of -control  portion  of 
the  chart.  The  upper  and  lower  control  limits  are  obtained 
depending  upon  the  random  variable,  its  distribution,  and 
the  value  of  a  chosen. 

Brown  (1976)  suggests  in  the  following  example  that  the 
frequency  of  accidents  of  a  plant  has  a  normal  distribution 
with  a  mean  of  6  eind  a  st^uldard  deviation  of  1.5.  Frequencies 


for  the  first  6  months  have  been  4,  7,  5,  12,  8,  and  6.  Set 
up  a  monthly  control  chart  for  frequency.  Allow  for  a  .05 
probability  of  calling  a  point  out  of  control  when  it  is  not. 

In  this  excunple  "out  of  control"  is  strictly  in  terms  of 
an  upper  limit.  However,  the  analyst  chooses  to  set  up  a 
lower  limit  to  provide  possible  evidence  of  a  lowering  of  the 
accident  frequency.  Thus  the  .05  probability  will  be  divided, 
.025  above  the  upper  limit  and  .025  below  the  lower  limit. 

The  upper  limit  becomes 


U.L.  -  X  +  Z,o25  ‘^x 


=  6  +  1.96(1.5)  =  8.94 


and  the  lower  limit  is 


where 


L.L.  =  X  -  2^025  ^x 


=  6  -  1.96(1.5)  *  3.06 


Z  =  (which  "standardizes"  any  normally 

^  distributed  random  variable) 


X  = 


n  X. 

I  — 


=  '/(^(x,  -x)^)/n-l  =  E[(x-u^)^] 

A  X  X  X 


=  E[x] 


31 


The  control  chart  is  given  in  Figure  10.  The  fourth  month 
was  obviously  out  of  control,  and  assignable  causes  should  be 
sought.  In  this  example  the  assumption  of  normality  should 
be  tested  since  it  does  not  hold  generally. 


Figure  10.  Control  Chart  for  Example  Described  in 
Text  (Brown,  1976,  p.  231) 

The  construction  of  the  chart  is  simply  a  matter  of  apply¬ 
ing  hypothesis  testing  on  a  continuous  basis.  The  primary 
advantage  is  that  continuous  visual  perception  of  the  random 
variable  is  maintained.  This  continuous  picture  enables  the 
analyst  to  make  judgments  not  otherwise  discernible.  This 
is  not  limited  to  the  upper  and  lower  control  limits  demon¬ 
strated  above.  Other  factors  that  the  analyst  can  use  as 
indicators  of  abnormal  operational  behavior  include: 


32 


a.  Several  points  (four  or  more)  in  a  row  on  one  side 

of  the  mean  line.  The  probability  of  four  consecutive  points 

4 

on  one  side  is  approximately  .5  ,  or  .0625. 

b.  Identifiable  cycles.  Here  two  or  three  years  of  history 
may  be  required  to  identify  a  given  month  or  other  period 

of  time  when  the  operation  acts  in  an  irregular  manner. 

c.  Several  points  in  a  row,  either  monotonically  increasing 
or  decreasing  away  from  the  mean  line.  The  probability  of 
this  type  of  trend  is  difficult  to  establish.  However,  since 
these  points  are  all  on  one  side  of  the  mean  line,  the  proba¬ 
bility  will  be  considerably  less  than  .5^,  where  n  is  the 
number  of  points  exhibiting  this  characteristic. 

In  quality-control  situations,  3a  control  limits  are 

generally  used,  based  on  the  1-in-lOOO  value  of  a  under  the 

normal  distribution  assumption.  The  2a  and  la  lines  may  also 

be  set  up,  however,  to  help  the  analyst  identify  other  out- 

of-control  indicators.  For  example,  two  points  in  a  row 

outside  of  2a  limits  would  have  an  approximate  probability 
2 

of  (.025)  =  .000625,  which  is  about  the  same  as  the  probability 

of  one  point  outside  3a  limits,  assuming  normality.  Although 
control  charts  for  safety  applications  should  not  be  restricted 
to  the  a  =  .001  value,  the  concept  of  intermediate  lines  to 
identify  irregularities  is  a  good  one. 

B.  SYSTEMS  SAFETY  ANALYSIS 

To  understand  the  systems  safety  analysis  we  should  first 
have  a  clear  picture  of  what  a  system  is.  Worick  (1975) 


33 


defines  a  system  as  an  orderly  arrangement  of  components  which 
are  interrelated  and  which  act  and  interact  to  perform  some 
task  or  function  in  a  particular  environment.  The  main  points 
to  keep  in  mind  are  that  a  system  is  defined  in  terms  of  a 
task  or  function ,  and  that  the  components  of  a  system  are 
interrelated,  that  is,  each  part  affects  the  others.  The 
task  or  function  which  a  system  performs  may  be  simple  or 
complex.  Sometimes  it  is  convenient  to  break  up  a  complex 
task  into  simpler  tasks  and  consider  subsystems  of  the  larger 
system.  Subsystems  consist  of  part  of  the  components  of  the 
overall  system  and  perform  a  portion  of  the  overall  task 
(Figure  11) .  The  components  of  a  system  cam  cover  a  wide 
range  including  machines,  tools,  material,  environmental  fac¬ 
tors,  people,  documents  (such  as  operating  instructions, 
training  manuals ,  or  computer  programs ) ,  amd  so  on .  As  part 
of  a  system,  the  components  usually  complement  each  other 
but  it  is  essential  to  recognize  that  a  failure  or  malfunction 
of  any  component  can  affect  the  other  components  and  thus 
degrade  the  performamce  of  the  task. 

The  sequential  steps  required  in  all  system  analyses 
(Figure  12)  are: 

a.  Recognition  that  a  problem  exists  and  that  the  solution 
may  be  eunenable  to  systems  analysis  techniques. 

b.  Definition  of  that  problem  in  an  appropriate  form, 
including  a  definition  of  objectives,  requirements,  and  con¬ 
straints  of  times,  resources,  operational  environment,  social 
acceptability,  etc. 


34 


SYSTEM 


•5 


Figure  11.  Example  of  System  Elements  in  Aircraft  Accidents 
(Kent  J.  Kogler  [1976],  p.  7) 


Figure  12. 


Systems  Development  Flow  Diagram 
(System  Psychology — DeGreene 


[11 


c.  Definition  of  system  itself t  in  terms  of  its  hierarchi¬ 
cal  level,  boundaries,  interfaces,  environments,  functions, 
and  constituent  subsystems  and  their  interactions,  usually 
expressed  in  input/throughput/output  terms.  This  iterative 
process  begins  with  gross  approximations  and  works  toward 
minute  preciseness,  involving  test  and  modification  of  the 
original  concept.  The  result  should  be  a  conceptual  model 
amenable  to  quantitative  analysis. 

d.  Definition  of  performance  criteria  for  the  system  as 

a  whole,  for  the  various  levels  of  organization,  and  for  the 
combination  of  its  constituents. 

e.  Definition  of  alternative  configurations  and  their 
evaluation  in  terms  of  costs,  effectiveness,  state  of  develop¬ 
ment,  environmental  constraints,  etc. 

f.  Presentation  of  alternatives  and  tradeoff  results 
to  the  user.  A  number  of  choices  should  be  presented  in 
order  of  preference. 

g.  Performemce  of  ongoing,  iterative  engineering  and  human 
factors  analyses  during  systems  development. 

h.  Analyses  of  operational  systems  to  gether  basic  per¬ 
formance  data. 

The  importance  of  these  preliminary  steps  cannot  be  over¬ 
emphasized.  As  in  any  research,  the  analyst  himself  may 
introduce  bias  in  the  form  of  poor  problem  formulation,  not 
understanding  the  system,  or  in  not  understanding  the  true 
role  of  euialysis.  In  some  cases,  it  may  not  be  known  until 
the  system  is  complete  whether  the  problem  was  defined  correctly. 


37 


[ 


There  are  several  methods  which  are  used  for  the  systems 
analysis  techniques,  but  the  author  will  describe  here  the 
fault  tree  and  cost-effective  analysis. 

1 .  Fault  Tree  Analysis 

Fault  Tree  Analysis  (FTA)  was  developed  mainly  by 
engineers  who  studied  engineering  systems  in  great  detail, 
with  little  or  no  contribution  by  mathematicians.  A  possible 
explanation  given  by  R.E.  Barlow  (1975)  ,  J.B.  Fussell  (1975) 
and  N.D.  Singpurwalla  (1975)  is  the  fact  that  the  construc¬ 
tion  of  the  fault  tree,  a  basic  step  in  fault  tree  analysis, 
requires  an  intimate  knowledge  of  the  manner  in  which  a  sys¬ 
tem  is  designed  and  operated.  The  mathematician's  lack  of 
fauniliarity  with  the  operation  of  systems,  and  perhaps  their 
preoccupation  with  mathenatically  well-defined  problems,  has 
deterred  their  interest  in  fault  tree  analysis. 

Brown  (1976)  developed  Fault  Tree  and  cost/benefit  analy¬ 
sis  for  choosing  optimal  safety  alternatives.  Brown  shows 
how  negative  utility  amounts  can  be  assigned  to  all  possible 
head  events  and  the  relevant  possibilities  multiplied  by  the 
negative  utilities.  The  results,  which  are  expected  negative 
utility  amounts,  are  called  "measures  of  criticality". 

Reductions  in  negative  expected  utility  or  criticality 
are  considered  to  be  quantitative  expressions  of  benefits  or 
effectiveness,  and  these  are  then  related  to  costs  to  find 
the  optimal  combination  of  safety  alternatives  for  the  deci¬ 
sion  maker's  cost-benefit  trade-off  function. 


38 


f 


Using  Brown's  methodology  the  safety  manager  should 
first  utilize  the  fault-tree  analysis  technique  as  a  logical 
approach  to  identify  the  areas  in  a  system  that  are  most 
critical  to  safe  operation. 

According  to  R.E.  Barlow  (1975)  and  H.E.  Lambert 
(1975) ,  FTA  is  one  of  the  principle  methods  of  systems  safety 
analysis.  FTA  evolved  in  the  aerospace  industry  in  the  early 
1960 's.  It  was  the  result  of  a  contract  between  the  Air  Force 
Ballistics  Systems  Division  and  Bell  Telephone  Laboratories 
for  the  study  of  inadvertent  launch  in  the  Minuteman  ICBM 
(Delong,  1970) .  After  initial  work  at  Bell  Telephone  Labora¬ 
tories,  development  of  fault  tree  continued  at  the  Boeing 
Company,  where  scientists  devoted  much  effort  to  develop  its 
procedures  farther  and  became  its  foremost  proponents.  The 
principle  of  Boolean  algebra  (Appendix  A)  is  applied  for  FTA. 

Rogers  (1971)  has  referred  to  the  following  six  steps 
that  were  used  in  applying  the  technique  to  the  Minuteman 
Progrcun; 

1.  Define  the  undesired  event. 

2.  Acquire  complete  understanding  of  the  system. 

3.  Construct  the  fault  tree  diagram. 

4.  Collect  quantitative  data. 

5.  Evaluate  fault  tree  probability. 

6.  Analyze  computer  results. 

Undesired  events  requiring  FTA  are  identified  either 
by  inductive  analysis,  such  as  a  preliminary  hazard  analysis. 


39 


or  by  intuition.  These  events  are  usually  undesired  system 
states  that  can  occur  as  a  result  of  subsystem  functional 
faults. 

FTA  is  a  detailed  deductive  analysis  that  usually 
requires  consideraible  system  information.  It  can  be  a  valua¬ 
ble  design  tool.  It  can  identify  potential  accidents  in  a 
system  design  cind  can  help  to  eliminate  costly  design  changes 
and  retrofits.  FTA  can  also  be  a  diagnostic  tool.  It  can 
predict  the  most  likely  causes  of  system  failure  in  the  event 
of  a  system  breakdown  - 

A  major  difficulty  with  quantitative  fault  tree 
evaluation  is  the  lack  of  pertinent  failure  rate  data.  Even 
in  cases  where  the  data  are  goodk  it  is  not  clear  that  we  cam 
justify  one  system  environment,  data  that  were  obtained  in  a 
different  system  environment.  Nevertheless,  quantitative 
evaluations  are  particularly  valuable  for  comparing  systems 
designs  that  have  similar  components.  The  results  are  not  as 
sensitive  to  failure  rate  data  as  in  am  absolute  determina¬ 
tion  of  the  system  failure  probaibility . 

The  goal  of  fault  tree  construction  is  to  model  the 
system  conditions  that  can  result  in  the  undesired  event. 

One  of  the  advantages  of  manual  fault  tree  construction  is 
that  it  forces  the  analyst  to  understand  the  system  thoroughly. 
Before  the  construction  of  a  fault  tree  can  proceed,  the 
analyst  must  acquire  a  thorough  understamding  of  the  system. 

In  fact,  a  system  description  should  be  part  of  the  analysis 


dociomentation .  The  analyst  must  carefully  define  the  un¬ 
desired  event  under  consideration,  called  the  'top  or  head 
event'  . 

a.  Event  Description 

A  fault  tree  is  a  model  that  graphically  and 
logically  represents  the  various  combinations  of  possible 
events,  both  fault  and  normal,  occurring  in  a  system  that 
leads  to  the  top  event.  The  term,  event,  denotes  a  dynamic 
cheinge  of  state  that  occurs  to  a  system  element.  System  ele¬ 
ments  include  hardware,  software,  humam  and  environmental 
factors. 

b.  Event  Symbols 

The  symbols  shown  in  Figure  13  represent  specific 
types  of  fault  and  normal  events  in  FTA.  The  rectangle  defines 
ein  event  that  is  the  output  of  a  logic  gate  and  is  dependent 
on  the  type  of  logic  gate  aind  the  inputs  to  the  gate.  The 
circle  defines  a  basic  inherent  failure  of  a  system  element 
when  operated  within  its  design  specifications.  It  is  there¬ 
fore  a  primary  failure,  and  is  also  referred  to  as  a  generic 
failure.  The  diamond  represents  a  failure,  other  than  a  pri¬ 
mary  failure  that  is  purposely  not  developed  further.  The 
switch  event  represents  an  event  that  is  expected  to  occur 
or  to  never  occur  because  of  design  and  normal  conditions, 
such  as  a  phase  chemge  in  a  system.  The  conditional  input 
may  be  applied  to  any  gate  and  describes  a  condition  which 
must  be  present  to  produce  the  output.  For  example,  an 


41 


Fault  Event 


Basic  Event 


Transfer  OUT 


Conditional  Input 


Figure  13.  Event  Symbols  Used  in  Fault  Tree  Analysis 
(Brown,  D.B.  [1976],  p.  158  and  Rodgers, 
W.P.  [19711 ,  p.  41) 


order  sequence  of  the  inputs  to  an  AND  GATE  may  be  described 
as  a  condition  input.  The  tricingles  are  used  as  transfer 
symbols.  A  line  from  the  apex  indicates  a  transfer  in,  and 
a  line  from  the  side  shows  a  transfer  out. 

c.  Logic  Gates 

The  fundamental  logic  gates  for  fault  tree  con¬ 
struction  are  the  OR  and  the  AND  gates.  The  OR  gate  des¬ 
cribes  a  situation  where  the  output  event  will  exist  if  one 
or  more  of  the  input  events  exist.  The  END  gate  describes 
the  logical  operation  that  requires  the  coexistence  of  all 
input  events  to  produce  the  output  event.  the  INHIBIT  GATE 
describes  the  relationship  between  one  fault  and  another. 

The  input  event  causes  the  output  event  if  the  indicated  con¬ 
dition  is  satisfied.  If  the  condition  involves  a  specific 
failure  mode,  it  is  represented  by  an  oval.  It  is  shown  in 
a  rectangle  if  the  condition  described  is  one  that  may  exist 
anytime  during  the  life  of  the  system.  The  symbols  for  the 
logic  gates  are  shown  in  Figure  14. 

d.  Construction  Methodology 

The  fault  tree  is  so  structured  that  the  sequences 
of  events  that  lead  to  the  undesired  events  are  shown  below 
the  top  event  and  are  logically  related  to  the  undesired 
event  by  logical  gates.  The  input  events  to  each  logic  gate 
that  are  also  outputs  of  other  logic  gates  at  a  lower  level 
are  shown  as  rectangles.  These  events  are  developed  further 
until  the  sequences  of  events  lead  to  basic  causes  of  interest. 


43 


Output 


Output 


TTT 

OR  Gate 


Figure  14. 


Inputs 


A  ^ 


AiJD  Gate 


Inputs 


Symbols  for  Logic  Gates  Used  in  Fault  Tree 
Analysis  (Rodgets,  W.P.  [1971],  p.  40) 


[ 

> 


called  "basic  events".  The  basic  events  appear  as  circles 
and  diamonds  on  the  bottom  of  the  fault  tree  and  represent 
the  limit  of  resolution  of  the  fault  tree.  The  structuring 
process  is  used  to  develop  fault  tree  flows  in  a  fault  tree 
(Figure  15)  when  a  system  is  examined  on  a  functional  basis, 
that  is,  when  failures  of  system  elements  are  considered. 

At  this  level,  schematics,  piping  diagrams,  process  flow 
sheets,  etc.,  are  examined  for  cause  and  effect  types  of 
relationships  to  determine  the  subsystem  and  component  fault 
states  that  Ccin  contribute  to  the  occurrence  of  the  undesired 
event. 

e.  Purpose  of  Fault  Tree  Construction 

The  fault  tree,  once  constructed,  serves  as  an 
aid  in  determining  the  possible  causes  of  an  accident.  When 
properly  used,  the  fault  tree  often  leads  to  discovery  of 
failure  combinations  which  otherwise  might  not  have  been 
recognized  as  causes  of  the  event  being  analyzed.  The  fault 
tree  can  be  used  as  a  visual  tool  in  communicating  and  supporting 
decisions  based  on  the  euialysis,  such  as  determining  the  ade¬ 
quacy  of  a  system  design.  The  fault  tree  provides  a  convenient 
and  efficient  format  helpful  for  either  qualitative  or  quanti¬ 
tative  evaluation  of  the  fault  tree,  such  as  determination 
of  the  probability  of  the  occurrence  of  the  top  event. 

f.  Evaluation  of  the  Fault  Tree 

An  objective  of  fault  tree  evaluation  is  to  deter¬ 
mine  if  there  is  an  acceptable  level  of  safety  in  the  proposed 


45 


system  design,  i.e.,  will  the  proposed  design  suitably  mini¬ 
mize  the  probability  of  the  occurrence  of  the  top  event. 

If  the  system  design  is  found  inadequate,  then  the  design  is 
upgraded  by  first  identifying  critical  events  (such  as  com¬ 
ponent  failures)  that  significantly  contribute  to  the  top 
event.  Cost  constraints,  contractual  requirements,  and  other 
factors  limit  the  design  changes  that  can  be  made.  Therefore, 
trade-off  studies  are  necessary  to  determine  what  changes  will 
be  incorporated  to  reduce  the  effect  of  the  critical  events. 
When  all  design  changes  are  made,  the  fault  tree  is  re¬ 
evaluated  to  determine  if  the  revised  design  provides  an 
acceptable  level  of  safety  and/or  reliability. 

According  to  Brown  (1976)  the  purpose  of  developing 
a  fault  tree  and  qucintifying  it  is  to  effectively  allocate 
the  safety  budget.  To  do  this,  the  various  alternative  safety 
investments  are  considered  in  light  of  their  effect  upon  the 
fault  tree  and  the  resulting  head  event.  A  measure  of  cost/ 
benefit  is  then  determined  for  use  in  decision  maJcing.  Before 
completing  the  presentation  of  Brown's  methodology  some  ter¬ 
minology  as  given  by  Brown  will  be  introduced, 
g.  Cost 

Cost  is  defined  as  the  dollar  outlay  to  pay  for 
the  incorporation  of  a  device,  method,  procedure  and  so  on 
(henceforth  called  a  countermeasure)  into  the  industrial  sys¬ 
tem  for  a  given  unit  period  of  exposure.  Thus  the  cost  of 
devices  that  must  be  periodically  recharged  and/or  replaced 
is  based  on  average  costs  for  a  given  unit  (e.g.,  a  million 


47 


mem-hours  (mmh)  exposure  period) .  Permanent  fixtures,  such 
as  machine  guards,  can  be  prorated  on  the  basis  of  the  life 
of  the  machine.  The  cost  of  educational  programs  can  be 
prorated,  based  upon  their  frequency.  All  countermeasures 
must,  for  comparison  purposes,  have  a  common  denominator, 
h.  Benefit 

Benefit  is  the  negative  utility  reduction. 

Measure  of  benefit  is  the  expected  negative  utility.  There 
is  a  negative  utility  (or  cost  in  terms  of  dollars  and  personal 
well-being)  associated  with  accidents.  This  negative  utility 
depends  upon  the  severity  of  the  accident. 

The  expected  negative  utility  of  the  head  event 
if  it  occurs  can  now  be  calculated  by  the  following: 


where : 

th 

the  probability  of  occurrence  of  the  i 
severity  class  given  that  the  head  event 
occurs , 

the  number  of  severity  classes, 

the  negative  utility  associated  with  the 
ith  severity  class. 

An  alternative  method  for  calculating  E  would  be 
more  appropriate  if  the  values  of  negative  utility  from  a 
large  number  of  past  occurrences  of  the  head  event  were 
measured  directly.  Thus  the  expected  negative  utility 


48 


associated  with  the  head  event  would  be  obtained  from  the 
arithmetic  mean  of  these  measurements; 

n 


Both  equations  above  are  equivalent  under  the 
conditions  that  there  are  n  severity  classes  (N  =  n)  and  that 
the  probability  of  each  severity  class  is  equivalent  (P^  =  . 

This  occurs  when  each  accident  is  considered  as  a  unique 
situation . 

i.  Cost/Benefit 

This  term  is  a  vague  term  used  in  describing  a 
variety  of  applications.  Here  it  is  defined  as  the  dollars 
spent  per  negative  utility  reduction. 

j .  Criticality 

A  system  is  defined  as  critical  if  there  is  any 
failure  that  will  degrade  the  system  beyond  acceptable  limits 
auid  create  a  safety  hazard.  An  absolute  measure  of  criticality 
associated  with  the  head  event  can  be  obtained  as 


C  =  P  •  E 


where : 


C  =  the  expected  negative  utility  associated  with 
the  head  event  in  the  given  time  or  production 
unit. 

P  =  the  head  event  probability  (in  occurrence/mmh) . 

E  =  the  expected  negative  utility  (in  dollars/ 
occurrence  or  workday /occurrence  etc.). 


49 


k.  Determination  of  Head-Event  Probability 

The  value  of  P  can  be  obtained  assuming  that  a 
proper  unit  of  time  or  production  has  been  determined  to 
adequately  define  one  trial. 


P 


where ; 


N,  =  the  number  of  occurrences  of  the  head  event 
in  the  trials  given  by  the  chosen  time  or 
production  unit. 

An  alternative  way  to  determine  P  is  by  using  the 
fault  tree  end  branch  probabilities.  This  is  necessary  if 
the  effect  of  alternative  countermeasures  is  to  be  determined. 

In  the  OR  situation,  any  of  the  events  will  cause 
the  subsequent  event  to  occur  and,  therefore,  assuming  inde¬ 
pendence,  the  probability  of  occurrence  of  the  subsequent 
event  is  given  by 

n 

P  =  1  -  n  (1  -  q. ) 

^  i=l  ^ 

where : 

th 

q^  =  the  probability  of  the  i  causal  event, 
n  *  the  number  of  parallel  branches. 

In  the  AND  situation,  all  the  events  must  occur 
for  the  subsequent  event  to  occur  and,  therefore,  assuming 


50 


independence,  the  probability  of  occurrence  of  the  subsequent 
event  is  given  by 


n 

P.  =  n  q 

A  i=i  1 

Through  a  reiterative  process  the  probability  of 
the  head  event  can  be  determined  from  a  knowledge  of  the 
probabilities  of  the  branch  events.  This  is  the  value  of  P 
which  was  given  in  the  equation  C  =  PE.  A  system  modifica¬ 
tion  will  produce  a  change  in  this  value  of  expected  negative 
utility,  thus  providing  the  measure  of  benefit. 

Brown  (1976)  gives  various  examples  to  demonstrate 
the  entire  procedure. 

2.  Example 

Figure  16  is  an  example  fault  tree  for  developing 
the  head  event  "Chip  in  Eye  (Grinding)".  This  particular  fault 
tree  is  to  analyze  the  specific  type  of  eye  injury  that  might 
be  caused  by  the  grinding  operation.  Those  who  might  have 
this  accident  fall  into  two  mutually  exclusive  and  all- 
encompassing  categories;  (1)  operators  and  (2)  nonoperators. 
Further,  assume  that  the  accident  will  not  occur  if  adequate 
eye  protection  is  worn.  Therefore,  the  two  events  shown  illus¬ 
trate  the  first  breakdown.  The  event  "Operator  Fails  to  Wear 
Safety  Glasses"  has  an  abbreviated  label  which,  if  spelled  out 
in  detail,  would  read  "Operator  Fails  to  Wear  Safety  Glasses 
and  Is  Injured  by  Chip  in  Eye." 


51 


Figure  16.  Fault  Tree  Illustrated 


52 


The  AND  relationship  asks  the  question: 


What  must 


happen?"  not  "What  could  happen?"  Four  things  must  occur  in 
order  for  the  nonoperator  to  be  injured  in  this  way.  These 
four  are  listed  appropriately  under  the  AND  gate. 

The  event  "Motive  to  Go  into  Area"  analyzed  into  the 
specific  reasons.  This  event  is  used  under  OR  gate  here. 

In  Figure  17  the  probabilities  of  occurrence  are  given 
for  the  end  branch  events  for  any  million-man-hour  period. 
Suppose  that  records  show  that  in  the  past  there  have  been 
10  accidents  of  this  type,  of  which  7  were  First  Aid,  2  were 
Temporary  Total  (man  had  to  leave  job) ,  and  one  resulted  in 
a  Permanent  Partial  (caused  permanent  eye  damage) .  An  example 
of  negativue  utility  schedule  is  given  in  Table  I. 


Table  I 

An  Example  of  Negative  Utility 


Severity  Negative 


Classification 

Severity 

Utility 

1 

First  Aid 

20 

2 

Temporary  Total 

345 

3 

Permanent  Partial 

2,500 

4 

Permanent  Total 
(including  fatalities) 

21,000 

■k 

The  value  of  negative  utility  need  not  be  a  dollar  figure 
if  other  intangibles,  such  as  social  costs,  are  to  be 
considered.  For  this  example,  however.  First  Aid  was 
a  dollar  value  per  case  estimated.  All  other  figures 
are  average  costs  per  case  given  by  the  National 
Safety  Council,  'Accident  Facts',  1971. 


Figure  17.  Fault  Tree  Illustrated  the  Probabilities 
Assigned 


54 


The  expected  negative  utility  of  this  accident  is: 

E  =  .7(20)  +  .2(345)  +  .1(2500)  =  333 

The  probability  of  the  OR  gate  given  last: 

=  1  -  (1  -  0.05)  (1  -  .5)  (1-  .01)  =  1  -  .8935 

=  .1065 

The  probability  of  the  AND  gate  is: 

=  (.8) (.1065) (1) (.5)  =  .0426 

The  probeOaility  of  the  head  event  is: 

P  =  1  -  (1  - .01)  (1  -  .0426)  =  1  -  (.99)  (.9574) 

=  .0522 

This  is  the  probability  of  occurrence  of  the  head  event,  in 
any  million  manhours  of  exposure. 

The  criticality  associated  with  the  head  event  is: 

C  =  P  •  E  =  (.0522)  033)  =  17.38 

This  example  will  be  pursued  a  bit  further  to  deter¬ 
mine  how  modifications  on  the  fault  tree  are  handled.  If 
money  is  spent  to  improve  the  safety  of  this  system,  one  or 
more  of  the  basic  event  probabilities  in  the  fault  tree  should 
be  reduced  or  else  the  expected  severity  should  be  reduced. 

If  not,  either  the  expenditure  should  not  be  made,  or  else 
the  fault  tree  is  incorrect.  A  reduction  in  the  basic  event 


55 


probabilities  will  always  reduce  the  probability  of  the  head 
event,  P,  and  therefore  it  will  also  reduce  the  criticality, 

C,  of  the  event.  The  amount  by  which  the  criticality  is 
reduced  will  provide  a  measure  of  benefit  for  the  change  that 
was  made.  Hence  a  measure  of  benefit  can  be  estimated  for  any 
safety  investment. 

Consider  three  proposed  countermeasures  to  reduce  the 
probability  of  the  head  event  "Grinding  Chip  in  Eye"  originally 
presented  in  Figure  16.  Assume  the  three  alternatives  were 
given  as  in  Table  II. 


Table  II 

Three  Proposed  Countermeasures  and  Associated  Cost 


Alternative 


Description 


Effect 


Move  storage 
area  away  from 
grinding  area 


Both  1  and  2 


Reduce  proba¬ 
bility  events 
H  and  I  to 


Same  effects 
as  both  1 
and  2 


Let's  calculate  the  probability  of  head  event,  criticality, 
savings,  euid  cost/benefit. 


56 


Alternative  1 


P  *  1  -  (1  -  0,01)  (1  -  (0.8)  (.1065)  (1.0)  (0.05) 

=  1  -  0.9858  =  0.0142 

C  *  P  •  E  =  (0.0142)  (333)  *  4.73 

Savings  *  17.38-4.73  =  12.65 

Cost/Benefit  =  25/12.65  =  1.98 

Alternative  2 

P  »  1-  (1  -0.01)  (1  -  (0.8) (1  -  (1-0)  (1-0)  (1-0.01) )  (1.0)  (0.5) ) 

«  1  -  0.986  =  0.014 

C  =  (0.014)  (333)  *  4.66 

Savings  =  17.38  -  4.66  =  12.72 

Cost/Benefit  =  15/12.72  =  1.18 

Alternative  3 

P  =  1  -  (1  -0.01)  (1  -  (0.8)  (1  -  (1-0)  (1-0)  (1-0.01)  )  (1.0)  (0.05)  ) 

*  1  -  0.9896  =  0.0104 

C  «  (0.0104) (333)  =  3.46 

Savings  =  17.38  -  3.46  =  13.92 

Cost/Benefit  »  30/13.92  *  2.16. 


57 


Summary  for  alternatives  are  shown  in  Table  III. 


Table  III 

Three  Alternative  Cost/Benefit  Analyses 


Alternative 

Cost 

Benefit 

Cost/Benefit 

1 

$25 

12.65 

1.98 

2 

$15 

17.38 

4.66 

12.72 

1.18 

3 

$30 

17.38 

3.46 

13.92 

2.16 

The  best  investment  is  the  one  with  the  lowest  cost/ 
benefit  figure.  Alternative  2  is  superior  to  the  others  in 
terms  of  cost/benefit. 

C.  CRITICAL  INCIDENT  TECHNIQUE  (CIT) 

This  technique  is  widely  used  as  a  method  of  discovering 
and  attempting  to  reduce  or  control  hazardous  situations  be¬ 
fore  accidents  occur.  CIT  examines  previously  experienced 
difficulties  by  interviewing  persons  involved.  It  is  based 
on  collecting  information  on  hazards,  near  misses,  and  unsafe 
conditions  and  practices  from  operationally  experienced  per¬ 
sonnel.  It  can  be  used  beneficially  to  investigate  mcui-machine 
relationships  in  past  or  existing  systems  and  to  use  the 
information  learned  during  the  development  of  new  systems,  or 
for  the  modification  and  improvement  of  those  already  in 
existence.  The  technique  consists  of  interviewing  personnel 


58 


regarding  involvements  in  accidents  or  near  accidents;  diffi¬ 
culties,  errors,  and  mistakes  in  operations;  and  conditions 
that  could  cause  mishaps .  The  surveys  generally  request 
the  persons  interviewed  to  include  their  own  experiences  and 
also  experiences  of  other  personnel  whom  they  have  actually 
observed.  The  person  is  asked  to  describe  all  near  misses 
or  critical  mishaps  that  he  can  recall. 

In  effect,  the  CIT  accomplishes  the  saune  end  result  as  an 
accident  investigation:  identification  through  personal  in¬ 
volvement  of  a  hazard  that  has  or  could  result  in  injury  or 
damage.  When  the  witnesses  who  observed  a  mishap  or  near 
miss,  but  were  not  participants,  are  added  to  those  who  were 
involved,  an  extremely  large  population  is  available  from  which 
information  on  accident  causes  can  be  derived. 

Even  isolated  incidents  reported  by  the  technique  can  be 
investigated  to  determine  whether  corrective  action  is  necessary 
or  advantageous.  However,  when  a  large  number  of  persons  are 
interviewed  regarding  similar  types  of  equipment  or  operations, 
similarities  begin  to  appear  in  reports  of  hazards  and  near 
misses.  Where  these  indicate  deficiencies,  difficulties,  or 
other  inadequacies,  they  c^ul  be  accepted  as  indicators  of 
areas  in  which  improvements  are  necessary  in  the  design  of  a 
product  or  system. 

This  technique  provides  a  source  of  data  on  errors  that 
contribute  to  critical  euid  catastrophic  accidents,  and  obtains 
information  directly  from  operators,  who  are  less  reluctant 
to  admit  errors  in  nonaccident  situations  than  in  accident 


59 


situations.  The  CIT  has  been  used  in  evaluation  of  aircraft 
pilot  safety  and  has  proven  beneficial  as  a  qualitative 
safety  technique. 

Fitts  and  Jones  (1947)  used  this  technique  very  effec¬ 
tively  after  World  War  II  when  they  conducted  interviews  with 
Air  Corps  pilots  on  errors  made  in  operating  aircraft  controls 
and  in  reading  aircraft  instruments.  Figure  18  indicates  the 
classifications  of  460  pilot  errors  made  in  operating  aircraft 
controls.  Over  80  percent  of  the  errors  reported  can  be  con¬ 
sidered  as  errors  of  design:  design  of  controls,  their 
arreingements ,  cind  their  locations. 

Fitts  and  Jones  also  made  nvunerous  recommendations  for 
changes  that  would  reduce  humcin  error,  improve  controls,  and 
increase  system  effectiveness.  These  recommendations,  many 
of  which  were  incorporated  in  later  aircraft  and  in  human 
engineering  standeirds,  are  quoted  here  to  illustrate  benefits 
that  ceui  be  generated  by  this  technique  as  a  method  of  developing 
accident  prevention  measures: 

a.  More  than  half  of  all  errors  in  operating  cockpit  con¬ 
trols  can  be  attributed  directly  or  indirectly  to  lack  of 
unifoinnity  in  the  location  eind  mode  of  operation  of  controls. 

b.  Substitution  errors  can  be  reduced  by  (a)  uniform  pattern 
arrangement  of  controls;  (b)  shape-coding  of  control  knobs; 

(c)  warning  lights  inside  the  appropriate  feathering  button; 
euid  (d)  adequate  separation  of  controls. 

c.  Adjustment  errors  can  be  reduced  by  (a)  automatic  fuel 
flow  control;  (b)  simplified  one-step  operation  of  wheels  and 


60 


No  .  ot  Ptrcenl 
Errofi  Effots 

I  ')U8S  1 1  fii  f  UJN  f  UROHS  cofilusing  on*  control  with  anothar.  or  failing  to  identify  a  control  when 

<1  AUS  IM  flltsl 

I  Usinii  iiie  wiling  ihfoitlr  quadrant  cuntroMconluung  iniaiure,  prop  i>iich.  throttle,  etc!  09  tg 

li  i.'t>nlii^iiiil  lifiii  jiict  wtiei'i  controls  72  16 

I  (Jiiw.iiing  .1  i.oninii  lor  the  wrong  engine  (testhtring  button,  ignition,  inixture.  prop  pitch, 

tliiiiilie  etc  I  30  8 

il  Faiiiny  lo  iiteiiiily  the  Imiiling  light  switch  or  confuting  It  with  toint  other  control  11  2 

e  CoiiliisiiHj  uiluir  controls  (alarm  ball,  bomb  bay  door,  carburetor  heat,  cockpit  heater. 

ilinii|idlile  gas  tanks,  emiirgencv  bomb  release,  engine  heat,  intercooler  oil  bypass.  Oil  collar 

iMikinq  brake,  pitot  heat,  radio  tuning  control,  salvo  switch,  trim  lab.  wobble  pumpi  21  5 

total  229  50 


2  AOJUSINIENT  ERRORS  operating  a  control  too  slowly  or  too  rapidly,  moving  a  switch  to  the  wrong 
iMtsinun  or  following  the  wrong  sequence  in  operating  several  controls 


a  Tuining  fuel  selector  switch  10  the  wrong  tank  19 

h  Following  wrung  sequence  in  raising  or  lowering  wheels  10 

c  Failing  to  obr.nn  desired  flap  setting  17 

d  Adding  power  too  suddenly  without  proper  change  m  trim  9 

e  Failing  to  lock  or  unlock  throttles  properly  5 

I  Failing  to  roll  in  (run  last  enough  4 

g.  Fading  to  adinsi  other  controls  properly  11 

TOTAL  83 


4 

4 

4 

2 

1 

1 

_2 

10 


3  FORGE  T  TING  ERRORS  failing  to  check,  unlock,  or  use  a  control  at  the  proper  time 
a  Taking  oil  wiih  flignt  controls  locked  (aileron,  elevator,  rudder,  or  all  controls  locked) 

0  Forgetting  generator  or  magneto  switch 

c  Foigetting  to  make  proper  engine  ot  propeller  control  adjustments  (mixture,  prop  pitch,  etc. I 
d  Foigetting  to  lower  lock  or  check  landing  gear 
e  Taking  off  wiih  wrong  (rim  settings 
I  Taking  off  wdhoul  removing  pitot  cover 

g  Forgetting  to  operate  other  controls  (bomb-bay  doors,  bomb-rockei  selector  switch,  coolant 
shinier,  (laps,  auxiliary  fuel  pump,  fuel  selector,  hydraulic  selector,  lights.  PDI  switch,  pitot 
he.il  tail  wheel  lock) 

TOTAL 


16  4 

14  3 

11  2 

7  2 

6  I 

4  1 

2J  b 

83  IB 


■1  HtVEHSAl  LHItOR'i  moving  j  conpni  m  j  ditection  opposite  10  that  necessary  to  piodnci- 
levii uil  result 

.1  Mekiiig  level  s«:d  II  nil  correction  If 

Il  Mukmg  level  sed  vving  Ua(>  dd|ustnient  ^ 

I  Mdkiiig  level  sed  iniiveineiil  ot  an  engine  or  prupellor  eonirol  (mixture,  prop  pilch,  etc  i  b 

•  I  Making  revet  sed  movfineiil  ol  some  ntliei  control  ^ 

UjTAL 

UNIN  I  tN  1  lt)NAl  AuTIVMMON  ifMilvoUeiiUv u  uuiurol  wilhoul  betng  rtvwdfc  u!  d 
(.jdiuieiuf  iicoi,  cuv«i  .  ijiuduii,  lyni(iof).  (nverier,  landtny  ytar,  Itytu^ 

>wit<  It,  pilijl  ijtht)  >oi>t^chdtijer) 

1/  UNAttl  t  lO  HEALH  A  uuNl  HOL  jtt  -ilcni  u(  neat  aci.iUttnl  resulttny  Irom  ■  (iulimy  hnad  ">  uim> 

(Mi  '  to  a  LUiiitol  of  iitiiliility  lo  rcuf.h  <i  conliol  at  all  ICarbuielor  heat,  tuvi  stfl«ctor. 
ityilicjulit;  laiuliity  ijiidi  <  »a*ik  fuiktvrs) 

Figure  18.  Classification  of  460  Errors  Made  by  Pilots 
in  Operating  Aircraft  Controls  (Hammer, 
1972,  p.  189) 


2 

I 

\ 

? 

b 

b 


61 


flaps;  (c)  easily  accessible  and  continuously  operable  trim 
controls;  emd  (d)  improved  throttle  locks. 

d.  Forgetting  errors  can  be  eliminated  almost  entirely  by 
adherence  to  uniform  and  "natural"  directions  of  control 
movement . 

e.  Unintentional  activation  of  controls  can  be  remedied  by 
application  of  existing  anthropometric  data  on  body  size 

and  use  of  a  maximum  reaching  distance  of  28  inches  from  the 
shoulder  for  all  controls  used  during  critical  procedures. 

The  CIT  procedure  was  described  by  Tarrants  as  carried 
out  at  one  plant  of  the  Westinghouse  Company.  The  steps  may 
be  summarized  as  follows: 

a.  A  group  of  employees  with  previous  experience  and 
involvement  in  manufacturing  processes  and  equipment  was 
selected.  Each  person  included  was  listed  according  to  vari¬ 
ous  factors  to  produce  as  wide  a  range  of  experience  as 
possible.  Representatives  were  selected  randomly  from  each 
factor  group. 

b.  The  participants  were  interviewed  and  informed  of  the 
study  and  its  objectives.  They  were  given  an  opportunity  to 
withdraw  from  participation. 

c.  At  the  end  of  the  interview  the  participant  was  given 
a  copy  of  the  statement  on  the  study  and  its  objectives  and 
a  list  of  typical  incidents  gathered  at  other  plants.  This 
procedure  was  to  stimulate  the  recall  process. 

d.  Participants  were  asked  to  describe  any  incidents  that 
they  could  recall,  whether  or  not  they  had  resulted  in  injury 
or  property  damage.  They  were  asked  whether  they  recalled 


62 


any  incident  similar  to  those  that  had  occurred  at  other 
plants,  as  described  on  the  list  they  had  been  provided. 

e.  Questioning  was  carried  on  until  humcm  errors  or  un¬ 
safe  conditions  in  any  recalled  incident  could  be  described. 

The  20  participants  related  389  incidents  of  117  differ¬ 
ent  types.  Over  50  percent  more  potential  accident  causes 
were  found  by  this  method  than  had  been  identified  from  acci¬ 
dent  records.  One  participant  estimated  that  almost  70  per¬ 
cent  of  the  problems  reported  occurred  every  day,  indicating 
an  almost  constant  exposure  to  dcinger.  Once  a  potential 
accident  has  been  reported,  the  hazards  are  corrected  so  that 
a  real  accident  will  not  occur.  As  these  hazards  are  eliminated 
or  reduced  so  should  accident  frequency  and  severity  rates. 

The  major  deficiency  of  this  method  is  that  its  effective¬ 
ness  will  be  dependent  upon  all  employees  reporting  those 
potential  accidents  (incidents)  in  which  they  are  involved. 
Usually  employees  will  be  reluctant  to  do  so.  They  are  worried 
about  their  supervisors  attitude,  their  own  personal  records 
cind/or  spoiling  the  company's  safety  record.  Thus  data  with 
some  degree  of  bias  are  introduced. 


III.  STATEMENT  OF  PROBLEM 


Through  the  literature  survey,  several  methods  among  the 
existing  safety  measurement  techniques  have  been  discussed 
for  measurement  of  flight  safety.  From  the  above  discussion 
it  is  apparent  that  the  measurement  of  flight  safety  is  an 
area  for  research  and  development  which  will  allow  major 
improvement  in  overall  flight  safety  programs. 

A  most  important  aspect  in  the  development  of  an  effective 
safety  program  is  collection  and  evaluation  of  data.  The 
primary  goal  of  any  safety  program  is  to  prevent  accidents. 
Accident  prevention  is  best  pursued  within  the  framework  of 
a  systematic  program.  Detailed  and  well-selected  collection 
of  factual  data  is  the  first  step  in  the  development  of  an 
effective  safety  effort.  By  means  of  an  overall  evaluation 
of  safety  by  analysis  and  dissemination  of  this  data,  acci¬ 
dents  C6U1  be  predicted  eind  prevented. 

The  Korean  Air  Force  is  currently  collecting  data  on  air¬ 
craft  accidents.  Data  categories  collected  are  as  follows. 

a.  Accident  rate  and  flight  time  per  model  and  year 

b.  Total  accident  rate,  pilot  and  aircraft  loss  per  year 

c.  Accidents  by  general  factors  (pilot,  maintenance, 
material,  supervisor,  etc.) 

d.  Accidents  in  detail  per  factors  (e.g.,  pilot  factor: 
spin,  disorientation,  unusual,  air  collision,  etc.) 


64 


e.  Major  accidents  per  flight  time  (e.g.,  400  ~ 500  hrs :  8, 
900  ^  1000  hrs:  4,  1700  ~  1800  hrs:  1,  etc.) 

f.  Major  accidents  per  flight  phases  (take  off,  climb, 
in  flight,  Let  Down,  landing) 

g.  Major  accidents  per  missions  (Air  to  Air,  Air  to  Ground, 
Instrument  Flying,  etc.) 

h.  Major  accidents  per  rank 

i.  Aircraft  accident  cost. 

Many  of  the  data  categories  listed  above  are  useful  and 
lend  themselves  to  analysis  (Items  a,  b,  e) .  There  are,  how¬ 
ever,  some  major  deficiencies  in  data  being  collected  by  the 
Korean  Air  Force.  From  the  accident  prevention  viewpoint 
and  for  the  analysis  of  pilot  error,  it  would  be  better  to 
categorize  the  pilot  errors  of  item  c  as  follows: 

a.  Design-induced  pilot  factor  (e.g.,  instruments  that 
can  not  be  seen  properly  because  of  their  location) . 

b.  Operations-induced  pilot  factor  (e.g.,  air  traffic 
control  terminology) . 

c.  Environment-influenced  pilot  factor  (e.g.,  weather 
phenomena  such  as  fog  or  thunderstorms) . 

d.  Innate  pilot  factor  (e.g.,  poor  technique,  misuse  of 
controls,  medical  and  psychological  conditions) . 

Specifically,  the  data  of  items  g  and  h  are  inadequate. 

For  example,  item  g  must  include  flight  time  or  sorties.  That 
is,  accident  rate  must  be  calculated  for  each  mission.  Item 
h  must  consider  the  total  flight  time  and  pilots  of  each  rank. 


65 


For  example,  suppose  the  cumulative  number  of  pilots,  flight 
time,  and  accidents  for  10  years  are  shown  in  Table  IV. 


Table  IV 

Example  Data  for  Ranks  by  Pilots,  Flight  Time  and  Accidents 


Raink 

2nd  Lt. 

1st  Lt. 

Capt. 

Maj  . 

Lt.  col. 

pilots 

400 

1,000 

1,500 

800 

300 

flight 

time 

40,000 

150,000 

450,000 

160,000 

30,000 

acci¬ 

dents 

3 

18 

19 

9 

9 

Then, 


Accident  rate 


(Number  of  pilots  in  each  rank/total  pilots) 

_ X  Accidents  100,000 _ 

Flight  time  of  each  rank 


Total  pilots  =  400  +  1,000  +  1,500  +  800  +  300  =  4,000 

Accident  rate  of  _  (400/4000)  x  3  x  100,000 

2nd  Lt.  ^  40,000  "  * 


By  the  same  formula,  accident  rates  of  1st  Lt.,  Capt. ,  Ma j . , 
and  Lt.  Col.,  cire  3.0,  1.58,  1.13,  and  2.25. 

From  the  data  collected  above  we  can  only  use  control 
chart  techniques  because  the  data  was  not  collected  in  detail. 
But  the  problem  is  that  it  is  difficult  to  evaluate  the  over¬ 
all  safety  effectiveness  by  this  method  because  the  control 
chart  uses  only  the  frequency  or  severity  of  accidents  vs. 


time  (year,  month,  or  week) .  Accidents  must  be  considered 
as  multiple  causation  events,  i.e.,  rarely  is  a  single 
factor  solely  responsible  for  the  event. 

The  present  thesis  effort  has  been  designed  to  examine 
data  currently  collected  by  the  K.A.F.  and  meike  recommendations 
which  will  improve  data  collection  procedures  and  subsequent 
analysis . 


67 


IV.  APPROACH  TO  MEASUREMENT  OF  FLIGHT  SAFETY 

Several  measurement  techniques  applicable  to  flight 
safety  were  presented  in  the  literature  survey.  The  problem 
is  how  should  the  data  be  collected  to  efficiently  apply  such 
measurement  techniques?  The  author  will  present  several 
methodologies  to  collect  and  apply  data. 

A.  CONTROL  CHARTS 

The  primary  objective  of  this  method  is  to  show  compari¬ 
sons  among  accidents  which  occurred  in  a  given  period  and  to 
visually  indicate  out  of  control  situations  by  plotting  fre¬ 
quency  of  accidents  vs.  time  (year,  month,  or  week)  and  upper/ 
lower  control  limits.  A  point  falling  abovfe  or  below  the  con¬ 
trol  limits,  respectively,  is  indicative  of  an  out-of -control 
situation,  and  assignable  causes  are  generally  sought.  To 
measure  flight  safety,  we  actually  need  only  the  upper  control 
limit. 

It  is  easy  to  collect  these  data.  The  K.A.F.  does,  in 
fact,  collect  monthly  and  yearly  aircraft  accident  data.  In 
addition,  it  may  be  advantageous  to  add  daily  and  weekly 
data  to  monthly  and  yearly  statistics. 

Example 

1.  Data  for  accident  rate  (major,  minor,  or  major  +  minor) 
per  week  (given  period) . 

2.  Pilot  loss  rate  per  year,  month. 


68 


If  the  above  data  was  collected,  it  would  be  possible  to 
determine  trends  of  accidents  on  a  daily  basis.  In  particu¬ 
lar,  we  could  analyze  the  accident  factors  (pilot  error, 
material  failure,  supervisor,  maintenance,  environment)  from 
item  1  by  observing  the  upper  control  limit  zone. 

Analysis  of  Existing  Data 

The  aircraft  accident  rate  of  the  K.A.F.  is  as  in  Table  V. 

Table  V 

K.A.F.  Accident  Rate  by  Year 


Year 

70 

71 

72 

74 

75 

76 

77 

78 

a 

Acci¬ 

dent 

rate 

10.8 

B 

B 

B 

9.5 

B 

B 

B 

5.6 

B 

Then  the  control  chart  of  this  data  is  shown  in  Figure  19 . 


U.L. 


X 


L.L. 


Year 


69 


From  the  above  data, 


n  X . 
X  =  I  — 
i=l  " 


66.8 

10 


=  6.68 


S  = 


-  (^x.)2/nl/n-l  =  2, 


87 


The  t  distribution  is  used.  For  a  =  0.05, 


U.L.  =  X  +  t  —  =  6.68  +  to  qtc 

/S' 


2.87 

/To 


6.68  +  2.262  xliH.  =  8.73 

/To 


L.L.  =  X  -  t 


/n 


—  =  6.68  -  2.262  x 


2.87 

/To 


=  4.63 


The  accidents  of  70,  73,  and  74  are  out  of  the  control 
limit.  So  we  have  to  ainalyze  the  accident  causes  of  these 
years  to  prevent  or  reduce  accidents  in  the  future.  Also  we 
have  to  prepare  accident  prevention  program  according  to  the 
outcome  of  analysis. 

Let’s  take  a  =  .01. 


U.L.  =  X  +  t 


n-l,l-|  /n 


=  6.68  +  t 


9, .995 


2.87 

/To 


6.68  +  3 . 25  X 


2.87 


9.63 


L.L. 


X  -  t 


_S_ 


6.68 


>1  <1  U 

n-1,1-2 


=  3.73 


-  3.25 


X 


2.87 

/To 


The  accidents  of  70  and  73  year  are  yet  out  of  control 
limit.  The  control  chart  is  almost  the  same  as  test  of 
hypothesis . 


Hj_:  M  >  Uq 

The  acceptance  and  rejection  regions  are  illustrated  in 
Figure  20.  Here  assume  that  the  hypothesis  is  true  and 
use  the  value  of  a  to  determine  the  "cut-off"  point  for 
acceptance  or  rejection,  a  is  the  probability  of  rejection 
given  that  the  hypothesis  Hq  is  true. 


Figure  20.  Acceptance  and  Rejection  Region 

For  HqI  y  =  Pq  and  y  >  y^,  assuming  that  Hq  is 

true,  the  distribution  is  centered  at  yQ.  Now  according  to 

71 


the  definition  of  a  we  will  accept  a  probability  of  rejecting 


Hq  even  though  it  is  true. 

Example 

Aircraft  accident  rate  of  the  K.A.F.  was  supposed  to  be 
reduced  up  to  average  5.0  from  1970  to  1979.  Was  the  acci¬ 
dent  level  reduced  significantly? 

Hq;  u  =  Uq  (Accident  level  was  reduced  significantly) 

H.;  u  >  y.  (Accident  level  was  not  reduced 
significantly) 

Then  from  accident  data  given  above: 

U.L.  =  Un  +  t  1  ,  «  •  — 

»  5.0  +  to  o  =  0.05) 

9/0-95  ^ 

=  5.0  +  1.833  -  =  6.66 

/lO 

We  know  x  =  6.68.  Thus  x  >  U.L.  This  means  Hq  is  rejected 
and  u  >  Uq  is  accepted.  Therefore  we  can  conclude  that 

the  K.A.F,  has  not  yet  reduced  the  aircraft  accident  success¬ 
fully  within  given  period.  If  a  increases,  the  value  of  the 
U.L.  decreases  and  the  probability  of  acceptamce  Hq  decreases 
more. 

B.  FAULT  TREE  ANALYSIS  (FTA) 

Fault  tree  analysis  can  be  used  to  improve  flight  safety 
through  the  identification  of  safety  critical  items  and  meOce 
cost  effective  recommendations  for  their  improvement.  The 


72 


identification  of  failures  which  impact  the  safety  of  a  com¬ 
plex  mechanical  system  of  aircraft  requires  a  disciplined 
formal  methodology  capable  of  addressing  the  causes  of  failure 
and  failure  interactions  at  low  levels  of  complexity  which 
influence  the  entire  system.  FTA  can  provide  such  a  disci¬ 
plined  methodology  and  also  be  applied  to  quantitatively 
identify  critical  modes  of  failure  (both  hardware  and  human) 
whose  occurrence  could  cause  a  hazard  in  flight.  The  appli¬ 
cation  of  FTA  initially  requires  the  definition  of  a  system 
and  once  the  system  is  defined  the  basic  events  are  identi¬ 
fied  by  starting  with  the  accident  and  looking  for  its  cause 
at  a  lower  level  of  complexity.  By  repetition  of  this  cause 
and  effect  relationship,  the  most  elementary  cause  is  finally 
deduced.  The  interconnections  of  the  causal  events  with  logic 
symbols  form  the  branches  of  the  fault  tree .  The  quantita¬ 
tive  evaluation  of  the  probability  of  system  failure  requires 
the  collection  of  failure  rate  data  from  which  basic  proba¬ 
bilities  are  determined.  These  basic  event  probabilities 
are  combined  using  rules  of  Boolean  algebra  to  determine 
criticality  of  each  basic  event.  Based  on  relative  criti¬ 
calities,  cost  effectiveness  techniques  can  be  used  to  decrease 
probabilities  of  basic  hazards. 

A  fault  tree  is  a  failure  analysis  technique  which  analyzes 
system  failures  beginning  at  the  highest  level  of  complexity 
and  ending  at  the  lowest  level  of  complexity.  The  upper  most 
event  is  identified  as  an  accident  which  m-  '  ave  several 
degrees  of  severity.  The  degree  of  severity  is  not  identified 


73 


on  the  fault  tree  diagram  but  is  accounted  for  in  the  cost 
effectiveness  calculation.  The  tree  construction  is  a  logi¬ 
cal  process  producing  a  graphical  display  of  events  such 
that  all  possible  causes  of  a  particular  failure  are  shown 
below  that  failure.  Subsystem  failures  are  further  subdivided 
and  depicted  in  greater  detail  until  the  bottom  of  the  tree 
is  reached.  The  tree  is  structured  to  systematically  show 
contributory  events  and  failures  and  their  relationship  to 
each  other  and  to  the  accident.  Each  component  of  the  sub¬ 
system  capable  of  producing  am  event  is  examined  and  how  its 
failure  would  contribute  to  a  mishap  determined. 

According  to  Hammer  (1972) ,  in  the  application  of  the 
fault  tree  methodology  the  following  assumptions  are  generally 
made,  concerning  the  characteristics  of  components,  condi¬ 
tions,  actions  and  events: 

a.  Components,  subsystems  and  similar  items  can  have  only 
two  conditional  modes;  they  can  either  operate  successfully 
or  fail.  No  operation  is  partially  successful. 

b.  Basic  failures  are  independent  of  each  other. 

c.  Each  item  has  a  constemt  failure  rate  that  conforms 
to  em  exponential  distribution. 

The  benefit  of  the  generalized  fault  tree  structure  is 
realized  through  the  general  applicability  of  the  improvement 
recommendations,  derived  from  the  fault  tree  analysis. 

The  author  will  draw  a  fault  tree  diagram  based  on  the 
K.A.F.  aircraft  accident  data.  The  primary  factors  of  K.A.F. 
aircraft  accidents  in  the  1970 's  were  classified  into  six 


categories,  i.e.,  pilot,  maintenance,  material,  supervisory, 
environmental,  and  unknown  factor.  Fault  tree  must  include 
detailed  fault  factors  from  top  structure  to  subsystem,  but 
K.A.F.  data  has  not  been  collected  in  sufficient  detail  to 
evaluate  the  most  effective  use  of  FTA.  For  example,  material 
factors  of  K.A.F.  are  shown  in  Table  VI.  What  was  the  basic 
event  of  flight  control  in  Table  VI?  Was  it  pitch,  yaw,  or 
roll  failure?  If  the  failure  was  due  to  yaw,  what  was  the 
basic  event  of  yaw?  Was  it  caused  by  wear,  shock,  or  vibra¬ 
tion?  The  fuel  system  can  be  included  as  a  subsystem  of 
thrust  control  and  also  must  be  divided  into  subsystems. 

Data  presented  in  Teible  VI  is  inadequate  for  applying  FTA. 

Among  the  primary  factors  of  K.A.F.  data  pilot,  main¬ 
tenance,  supervisory,  and  environmental  factors  are  human 
error.  Fault  tree  diagram  of  K.A.F.  accident  data  is  shown 
in  i^pendix  B.  More  subsystems  and  basic  events  were  added 
to  illustrate  a  S2unple  aircraft  accident  fault  tree  and  develop 
the  methodology  for  collecting  amd  applying  data.  A  method 
to  collect  data  will  be  described  below. 

1.  Data  Collection 

For  FTA,  the  data  is  not  confined  only  to  major  and 
minor  accidents.  Incident  and  Forced/Precautionary  Lauiding 
data  are  also  included,  i.e.,  accidents  are  sorted  into  cate¬ 
gories  such  as: 

a.  Major  accident 

b.  Minor  accident 


75 


Table  VI 


Material  Factors  by  Year  of  Accident  (Major  &  Minor) 


c.  Incident. 

d.  Forced/precautionary  Landing. 

Basic  events  which  will  be  contributed  to  accidents 
in  these  subcategories  are: 

a.  Supervisory  factors. 

b.  Psychophysiological  factors. 

c.  Environmental  factors. 

d.  Material  failure. 

e .  Maintenance . 

Sample  format  of  supervisory  factors  is  shown  in 
Table  VII.  More  detailed  data  to  be  collected  is  presented 
in  Section  V. 

2 .  Development  of  an  Equation  for  Corrective  Action 

Recommendations 

This  section  concentrates  on  the  development  of  an 
equation  by  which  to  evaluate  cost  effectiveness  in  terms  of 
pareuneters  derived  from  the  fault  tree  analysis  and  parameters 
which  may  be  readily  estimated  from  the  data. 

The  cost  effectiveness  index  provides  a  measure  of 
dollars  saved  per  dollar  spent  in  implementing  recommenda¬ 
tions.  It  is  based  on  the  projected  percentage  improvement 
in  criticality  if  the  improvement  recommendation  is  implemented. 
The  cost  effectiveness  index  is  the  ratio  of  cost  savings  to 
improvement  cost. 


CE  = 


(1) 


where : 


77 


r 


CE  =  cost  effectiveness  index 
Cg  =  cost  savings 

Cj  =  improvement  cost 

The  cost  savings  may  be  expressed  in  terms  of  the 
difference  in  total  accident  cost  achieved  by  implementing 
the  improvement  recommendation.  This  may  be  expressed  as: 

(2) 

where : 

Cg  =  cost  savings 

N  =  number  of  accidents 

=  cost  of  accident  without  improvement 

=  cost  of  accident  with  improvement 
The  general  cost  of  a  single  accident  may  be  expressed  as: 

=  (CR)  (Cjj)  I  a.  Y-  (3) 

where : 

CR  =  criticality 

C„  =  cost  of  a  total  lost 
n 

=  probability  of  an  accident  being  of  severity  i 
=  relative  cost  of  an  accident  of  severity  i 
i  =  1  -  major  incident 


9 


f 


i  =  2  -  minor  accident 

i  =  3  -  incident 

i  =  4  -  forced/precaution  lamding 

This  equation  may  be  rationalized  in  terms  of  the 
criticality  representing  the  probaJaility  of  an  accident  of 
any  severity  occurring  due  to  a  given  basic  fault.  The 
probability  of  the  accident  being  of  severity  i  is  then 
(CR)  (a . )  .  The  cost  of  an  accident  of  severity  i  is  (C„)(y  )- 

X  n  X 

The  cost  likely  to  be  incurred  due  to  accidents  of  all 
severities  is  the  sum  of  the  products  of  these  terms  as 
expressed  in  the  equation  above. 

The  criticality  after  implementation  of  the  improve¬ 
ment  recommendation  may  be  expressed  as : 

CR’  =  (1-B}(CR)  (4) 


where : 


B  =  percent  improvement  in  criticality 

The  cost  of  an  accident  after  implementation  of  the 
improvement  recommendation  may  then  be  expressed  as; 

=  (1-B)  (CR)  (Cjj)  I  a.y^  (5) 

i 

By  substituting  equations  (3)  and  (5)  into  equation 
(2) ,  an  expression  for  cost  savings  is  obtained  in  terms  of 
parameters  which  have  known  numerical  values. 


80 


=  Ni  (CR)  -  (1-B)  (CR) 

=  N(CR)  (C„)  {1  -  (1-6)  }[a.Y. 

H  ^11 

Thus 


Cg  =  N6(CR)  (Cjj)Ia^Yi 


(6) 


An  expression  for  the  cost  effectiveness  ratio  is 
obtained  by  substituting  equation  (6)  into  equation  (1) . 


CE  = 


N6  (CR)  (Cjj) 


Ta .  Y  ■ 
•• 


Thus 


CE  = 


N6 (CR)  ^  I  a.y. 

^1  i 


(7) 


In  order  to  apply  this  formula  we  have  to  set  up  a 
general  criteria  for  each  item, 
a.  Criticality  (CR) 

The  author  uses  the  definition  of  CR  suggested 
by  Birnbaum  (1975) .  Let  g  be  a  function  that  computes  the 
probability  of  the  top  event  in  terms  of  the  basic  event 
probabilities.  To  generate  this  fionction  we  need  a  Boolean 
expression  for  the  top  event  in  terms  of  the  Boolean  variables 
of  the  basic  event.  The  outcome  of  each  basic  event  at  time 


t  has  an  indicator  variable  (t)  , 


8 


1  when  basic  event  i  has  occurred  at  time  t 

Y^(t)  = 

0  otherwise 

If  the  state  of  each  basic  event  is  random,  the 
probability  that  event  i  occurs  by  time  t  can  be  defined  to 
be  F^(t).  If  A^(t)dt  is  defined  to  be  the  probability  that 
event  i  occurs  between  t  and  t+dt,  given  that  event  i  has 
not  occurred  by  time  t,  then  (t)  can  be  expressed  in  terms 
of  (t) ; 

t 

-  I  A.  (t)dt 
F^(t)  =  1  -  e  ° 

A^(t)  is  commonly  referred  to  as  the  hazard  or  failure  rate 
at  time  t. 

If  we  construct  a  fault  tree  where  the  top  event 
is  system  failure  and  the  basic  events  are  component  failures, 
then  Birnbaum's  definition  of  component  importance  becomes 

3g{F(t) } 

-p-'-t)--  =  g{l^,F(t) }  -g{0^,F{t)  } 

where  g{F (t) }  is  the  probability  that  the  top  event  occurs 
by  time  t.  The  above  expression  is  the  probability  that  the 
system  is  in  a  state  in  which  the  functioning  of  component 
i  is  critical;  the  system  functions  when  i  functions,  the 
system  fails  when  i  fails.  The  probability  that  the  system 
is  in  a  state  at  time  t  in  which  component  i  is  critical  and 


82 


that  component  i  has  failed  by  time  t  is  the  criticality  of 


the  ith  basic  event,  i.e., 

CR  =  [g{l^,F(t) }  -  g{0^,F(t) }]F^(t) . 


Example 

Assume  that  the  fighter  aircraft  accident  data 
(including  incident  and  forced/precaution  landing)  of  the 
K.A.F.  was  collected  for  a  10  year  period  and  a  fault  tree 
diagram  was  constructed  the  same  as  in  Appendix  B.  From 
this  diagram,  the  number  of  basic  event  accidents  due  to 
insufficient  experience  is  3.  What  is  the  basic  event 
failure  probability,  head  event  probability  and  basic  event 
criticality? 

Before  solving  this  problem,  assxame  the  following 
data  was  collected. 

Total  flight  time  of 

fighter  aircraft  606,100  hr 

Total  sorties  586,600 

Average  flight  time  1.033  hr 

Assuming  an  exponential  failure  distribution,  the  failure 
rate  is; 


^  Sow  '  '>.95xl0-'/hr 

Prob2ibility  of  basic  event  'limited  experience'  is: 


83 


84 


“  Probability  of  inadequate  briefing 
=  5.11  X lO"® 

P2j^  =  Probability  of  sut '=‘rvisory  error 
5 

=  1  -  n  (1  -  p  ) 

i=l 

=  1  -  (1  -  5.10  X lO"®)  (1  -  3.40  X 10"^)  (1  -  5.10  X 10"^) 


(1  -8.52  xio"®)  (1  -5.11  xio"^) 


=  2.72  X 10  ^ 

If  we  collected  all  of  the  other  event  data  and 
the  probabilities  of  each  event  calculated  as  in  Table  VIII, 
then,  by  using  the  procedure  with  AND  or  OR  gate,  we  have; 

Table  VIII 
Failure  Probability 


EVENTS 


Failure  Probability 


Maintenance 

10.10  X lo”^ 

Environmental  Condition 

1.03  X lo"^ 

Psychophysiological 

Disturbance 

2.05  X 10  ^ 

Flight  Control 

1 

9.25  X 10"^ 

“  "  '  1 

Thrust  Control 

8.55  X 10“^ 

Landing  Gear 

6.18  X lo"^ 

Unknown  Crash 

1.20  X lo"^ 

Probability  of  pilot  error  *  5.80  x 10 

-5 

Probability  of  human  error  *  6.81  xio 

-4 

Probability  of  material  failure  =  2.40  x 10 

-4 

Probeibility  of  head  event  failure  =  3.20  x  10 

Calculation  of  criticality: 

If  the  ith  component  'Insufficient  Experience’ 

failed, 

g{l^,F{t) }  =  3.20  X 10“^. 

If  the  ith  component  'Insufficient  Experience' 
didn't  fail  and  the  head  event  failure  occurred,  then 

F^(t)  *  At  *  0  X  1.033  =  0 

Thus 

2  -6 
P  =  1  -  n  (1-F.)  =  1  -  (1-0)  (1  -  3.41  X  10  ”) 

i=l  ^ 

=  3.41  X lo"® 

P^j^  =  1  -  (1  -5.10  xio"^)  (1  -3.40  xl0‘®)  (1  -5.11  xio"®) 

•  (1  -  5.10  X 10”®)  (1  -  3.41  X lO"®) 

=  2.21  X 10“® 

Finally  we  get  the  probability  of  head  event  failure  as 
3. 15  X lo”^ .  Thus , 

« 

86 


1 


CR  =  (3.20  X  10“'^  -  3.15  X  lo"'^)  (5.11  X  lO"®) 

=  2.56  X 10~^^ 

b.  Number  of  Accidents  (N) 

An  estimate  of  the  number  of  accidents  in  the 
remaining  service  life  of  fighter  aircraft  in  the  K.A.F. 
would  be  calculated  if  we  knew  the  average  sorties  flown  per 
year  and  the  projected  remaining  life  of  operation.  Suppose 
the  average  sorties  flown  per  year  was  58660  and  the  average 
operational  life  of  fighter  type  aircraft  was  8  years. 

From  the  fault  tree  it  was  determined  that  the 
probability  of  an  accident  of  any  type  of  basic  event  is 
3.20  X 10  .  Then  the  number  of  accidents  expected  to  occur 

in  the  remaining  operational  life  is: 

N  =  (58660)  (8)  (3.20  X lo"^)  =  150 

Though  the  above  value  was  derived  by  estimate,  its  absolute 
value  is  unimportant  since  ranking  of  cost  effective  proce¬ 
dures  id  based  on  a  relative  figure  of  merit. 

c.  Percent  Improvement  in  Criticality  (8) 

The  percent  improvement  achievable  by  implementing 
suggested  improvement  recommendations  for  the  particular  fault 
is  based  on  an  engineering  judgment. 

d.  Ratio  of  Total  Loss  to  Improvement  Cost  (j^) 

I 

Total  loss  is  equivalent  to  the  average  acquisi¬ 
tion  cost  of  all  types  of  fighter  aircraft.  For  each 


87 


improvement  technique,  estimates  can  be  made  of  the  cost  to 
implement  the  improvement  as  a  fraction  of  the  acquisition 
cost,  Cj/Cjj. 

e.  Relative  Cost  of  an  Accident  of  Severity  i 

The  relative  cost  associated  with  a  given  accident 
depends  on  its  severity.  Accident  costs  will  be  normalized 
with  respect  to  the  average  of  the  manhours  required  to  com¬ 
plete  repair  or  replacement  of  major  damage  for  all  kinds 
of  fighter  aircraft. 

Suppose  we  know  the  following  data. 


1.  Major  Damage  Classification 


T^pe  of  aircraft 

F-K 

F-M 

F-X 

■9 

F-Z 

Manhours 

500 

600 

700 

800 

900 

2. 


Minor  D^unage  Classification 


Type  of  aircraft 

F-K 

F-M 

F-X 

■a 

F-Z 

Manhours 

200 

180 

150 

120 

50 

Then  the  average  of  the  manhours  required  to  complete  repair 
or  replacement  of  major  damage  for  all  types  of  aircraft  is; 


(500  +  600  +  700  +  800  +  911)/5  =  700 

The  average  manhours  of  minor  damage  is  140.  The  relative 
cost  of  a  minor  accident  is  then  140/700  =  .2.  The  same  ratio 
cem  be  applied  in  relating  an  incident  to  a  minor  accident 
and  a  forced/precaution  landing  to  an  incident.  Assume  the 


88 


relative  cost  of  incident  is  0.03  and  forced/precaution  landing 
is  0.004  for  calculation  of  COST  effectiveness  as  an  example. 

f.  Probability  of  an  Accident  Being  of  Severity  i  (a^^) 
It  is  often  the  case  that  basic  events  have 
different  probabilities  of  inducing  accidents  of  varying 
severity,  i.e.,  scxne  event  will  always  result  in  a  major 
accident,  whereas  other  events  may  induce  a  major  accident, 
minor  accident,  incident,  or  forced  landing.  The  probedsili- 
ties  depend  on  other  interacting  elements  in  the  system. 
Therefore,  in  arriving  at  a  cost  effectiveness  index,  the 
criticality  of  a  basic  fault  must  be  weighed  to  reflect  its 
impact  on  accident  severity.  This  is  achieved  by  introducing 
a  factor  into  the  expression  for  cost  savings  to  account 
for  the  probability  of  a  given  accident  severity.  The  evalua¬ 
tion  of  this  parauneter  requires  an  engineering  judgment  to 
be  made  of  the  probabilities  of  a  basic  fault  causing  acci¬ 
dents  of  varying  severities. 

Sample  calculation  of  CE 

Assume  that  the  accident  occurred  from  limited 
experience  (Basic  event  1.8  of  Appendix  B)  .  The  cause  of 
failure  was  due  to  "order  to  pilot  beyond  capability  on 
flight" .  The  corrective  action  recommended  is  an  establish¬ 
ment  of  experience  criteria.  The  cost  effectiveness  of  this 
recommendation  is: 

From  collected  data  and  engineering  judgment, 

assume  we  have  8  =  70%,  =  10%,  =  40%,  =  40%,  =  10% 

and  C_/C„  =  0.1.  Then 
X  H 


89 


CE  =  N  (CR)  (^)  I  a  y 

i=l  ^  ^ 

=  150  X  0.7  X  (2.56  X  X  x  (0.1  x  1.0 

U  •  X 

+  0.4  x  0. 2  +  0.4  x  0.03  +  0.1  x  0.0004) 

=  5.17  X 10“^ 

The  relative  cost  effectiveness  is  obtained  by 
proportion  of  the  above  value  to  the  most  cost  effective 
item  in  the  list,  i.e.,  set  the  most  cost  effective  item  to 
be  1.0.  For  example,  suppose  supervisory  error  in  maintenance 
has  the  greatest  CE  value  of  65,  then  relative  cost  effec¬ 
tiveness  of  3.5  in  Appendix  B  is  1  and  accident  due  to  limited 

-7  -11 

experience  is  5.17  xio  /65  =  7.9xio  .  Example  cost  effec¬ 
tiveness  ranking  is  shown  in  Table  IX.  We  can  decide  the 
basic  event  fault  is  not  critical  and  then  it  will  be  eliminated 
from  Table  IX  (e.g.,  if  CR  <  lo”^^) . 

FTA  was  suggested  as  a  method  of  system  safety 
analysis  which  can  improve  flight  safety  through  identifica¬ 
tion  of  safety  critical  items  and  make  cost  effective  recom¬ 
mendations.  FTA  is  a  detailed  deductive  analysis  that  usually 
requires  considerable  system  information.  It  can  be  a  valua¬ 
ble  design  tool.  FTA  can  also  be  a  diagnostic  tool  in  that 
it  can  predict  the  most  likely  causes  of  system  failure  in 
the  event  of  system  breakdown. 


90 


le  Cost  Effectiveness  Rankin 


C.  CRITICAL  INCIDENT  TECHNIQUE  (CIT) 

The  CIT  consists  of  a  set  of  procedures  for  collecting 
direct  observations  of  human  behavior  in  such  a  way  as  to 
facilitate  their  potential  usefulness  in  solving  practical 
problems.  As  a  measure  for  accident  research,  it  reveals 
causal  factors  in  terms  of  human  errors  and  unsafe  conditions 
that  lead  to  aircraft  accidents  and  it  provides  more  infor¬ 
mation  about  accident  causes  auid  a  more  sensitive  measure  of 
total  accident  performance  than  other  available  methods  of 
accident  study. 

The  CIT  has  been  used  to  collect  both  accident  and  near 
accident  data  without  any  discrimination  being  made  between 
the  two  types  of  data.  However,  in  particular  cases  the 
investigator  may  confine  his  attention  to  one  or  the  other 
type  of  data. 

By  collection  and  categorization  of  common  errors  from 
human  factors  data  in  aircraft  operation,  possible  direction 
of  accident  prevention  and  recommendation  will  be  provided. 
For  example,  if  we  collect  data  of  specific  experiences  from 
pilots  in  taking-off,  flying  an  instrument,  landings,  using 
controls  and  using  instruments,  then  the  data  may  provide 
many  factual  incidents  that  can  be  used  as  a  basis  for 
plsmning  research  on  the  design  of  instruments,  controls, 
training,  and  the  arramgement  of  these  within  the  cockpit. 

To  be  useful  the  incidents  must  be  detailed  enough  a)  to 
allow  the  investigator  to  make  inferences  and  predictions 


92 


about  the  behavior  of  the  person  involved  and  b)  to  leave 
little  doubt  about  the  consequences  of  the  behavior  and  the 
effects  of  the  incident. 

The  two  primary  steps  included  in  the  critical  incident 
procedure  are : 

1 .  Collection  of  the  Data 

The  most  important  item  for  accident  research  is  the 
real  data  in  detail.  The  CIT  is  frequently  used  to  collect 
data  on  observations  previously  made.  This  is  usually  satis¬ 
factory  when  the  incidents  reported  are  fairly  recent  and  the 
observers  were  motivated  to  make  detailed  observations  euid 
evaluations  at  the  time  the  incident  occurred. 

The  practical  problem  in  collecting  the  data  for  des¬ 
cribing  an  activity  refers  to  the  problem  of  how  it  should 
be  obtained  from  the  observers.  This  applies  especially  to 
the  problem  of  collecting  recalled  data  in  the  form  of 
critical  incidents.  Three  procedures  for  collecting  data 
are  described  below. 

a.  Interviews 

The  use  of  trained  personnel  to  explain  to  observers 
precisely  what  data  are  desired  and  to  record  the  incidents, 
making  sure  that  all  necessary  details  are  supplied,  is 
probably  the  most  satisfactory  data  collection  procedure. 

This  type  of  interview  is  somewhat  different  from  the  other 

i 

types  of  interview  and  a  brief  summary  of  the  principle  mis¬ 
hap  factors  involved  will  be  given. 

93 


b.  Questionnaires 

If  the  group  becomes  large,  a  questionnaire  pro¬ 
cedure  is  convenient. 

c.  Record  Forms 

One  other  procedure  for  collecting  data  is  by 
meams  of  written  records.  There  are  two  varieties  of  recording 
one  is  to  record  details  of  incidents  as  they  happen.  This 
situation  is  very  similar  to  that  described  in  connection  with 
obtaining  incidents  by  interviews  above . 

A  variation  of  this  procedure  is  to  record  such 
incidents  on  forms  which  describe  most  of  the  possible  types 
of  incidents  by  placing  a  check  or  tally  in  the  appropriate 
place. 

As  additional  information  becomes  available  on 
the  nature  of  the  components  which  make  up  activities,  obser¬ 
vers  may  thus  collect  data  more  efficiently  by  using  forms 
for  recording  and  classifying  observations. 

2 .  Analyzing  the  Data 

The  collected  data  of  a  large  sample  of  incidents 
provides  a  functional  description  of  the  activity  in  terms 
of  specific  behaviors.  The  purpose  of  the  data  analysis  stage 
is  to  summarize  and  describe  the  data  in  an  efficient  manner 
so  that  it  can  be  used  effectively. 

For  analyzing  the  data  we  have  to  consider  two  pri¬ 
mary  problems  involved.  These  problems  will  be  discussed 
below. 


94 


a.  Frame  of  Reference 


There  are  countless  ways  in  which  a  given  set 
of  incidents  can  be  classified.  In  selecting  the  general 
nature  of  the  classification,  the  principle  consideration 
should  usually  be  that  of  the  uses  to  be  made  of  the  data. 

The  preferred  categories  will  be  those  believed  to  be  most 
valuable  in  using  the  statement  of  requirements.  Other  con¬ 
siderations  are  ease  and  accuracy  of  classifying  the  data, 
b.  Category  Formulation 

The  induction  of  categories  from  the  basic  data 
in  the  form  of  incidents  is  a  task  requiring  insight,  experi¬ 
ence,  and  judgment.  The  usual  procedure  is  to  sort  a  rela¬ 
tively  small  sample  of  incidents  into  piles  that  are  related 
to  the  frame  of  reference  selected.  After  these  tentative 
categories  have  been  established,  brief  definitions  of  them 
are  made,  and  additional  incidents  are  classified  into  them. 
During  this  process,  needs  for  redefinition  and  for  the 
development  of  new  categories  are  noted.  The  tentative  cate¬ 
gories  are  modified  as  indicated  and  the  process  continued 
until  the  incidents  have  been  classified.  The  larger  cate¬ 
gories  are  subdivided  into  smaller  groups  amd  the  incidents 
that  describe  very  nearly  the  same  type  of  behavior  are  placed 
together.  The  definition  for  all  the  categories  aind  major 
headings  should  then  be  re-exaimined  in  terms  of  the  actual 
incidents  classified  under  each. 

A  major  problem  area  in  CIT  involves  actual  data 
collection.  The  following  items  will  be  applicable  to  interview 


95 


unclassified 


NAVAL  POSTGRADUATE  SCHOOL  MONTEREY  CA  p/6  5/1 

A  PROPOSED  flight  SAFETY  PROGRAM  FOR  WE  KOREAN  AIR  FORCEi(U) 

MAR  81  C  K  LEE 


or  record  form  in  order  to  collect  humem  factors  data  in 


aircraft  operation . 

1.  Description  of  the  occurrence 

a.  Aircraft 

(1)  Model 

(2)  Configuration  when  anomaly  occurred  (gear, 
flaps,  thrust,  fuel,  quantity,  etc.) 

b.  Type  of  operation 

c .  Time  auid  location 

(1)  Local  time 

(2)  Elapsed  time  since  departure  from  parking 
area 

(3)  Phase  of  flight 

(4)  Geographic  location 

d.  Nature  of  the  anomaly  (describe  the  deviation  from 
normal  or  expected  performance  as  precisely  as 
possible) 

e.  Radio  navigation  facilities  in  use  and  type  of 
navigation 

f.  Detection  of  the  anomaly  (Identify  the  person 
responsible  for  each  pertinent  decision,  command, 
action,  communication  or  interaction  with  others) 

(1)  Who  first  noticed  the  deviation?  (Aircraft 
commamder,  air  traffic  controller,  maintenance 
personnel,  or  others  (explain)).  Who  should 
have? 

(2)  What  brought  it  to  his  attention?  What  should 
have? 

g.  Cockpit  environment  preceding  the  anomaly. 

(1)  Was  there  anything  unusual  about  the  operation? 

(2)  Were  there  any  distractions  immediately  before 
the  anomaly  occurred? 

(3)  What  was  the  weather  at  the  time  of  the 
occurrence? 

h.  What  actions  immediately  preceded  the  anomaly,  in 
order  of  occurrence? 

(1)  Did  emy  of  these  actions  contribute  to  the 
anomaly? 

(2)  What  decisions  motivated  this  action?  Who  made 
them? 


96 


(3)  What  information  was  the  basis  for  the  deci¬ 
sions?  Was  the  information  correct? 

i.  Was  there  any  indication  before  the  anomaly  that 
it  was  going  to  occur  or  might  occur?  If  so: 

(1)  What  was  the  indication? 

(2)  Who  noticed  it? 

(3)  Was  it  noticed  immediately?  If  not,  why  not? 

2.  Recovery  following  the  occurrence 

a.  What  happened  after  the  anomaly  occurred? 

(1)  What  decisions  were  made? 

{ 2 )  By  whom? 

(3)  For  what  reasons? 

b.  What  actions  were  taken  to  correct  the  deviation? 

(1)  By  whom  was  each  action  initiated?  When?  Why? 

c.  What  effect  did  each  action  have? 

(1)  Did  it  help  recovery? 

(2)  Did  it  hinder  recovery? 

d.  Did  any  complicating  factors  arise  during  the 
recovery  period?  (After  the  initial  deviation, 
other  events  can  occur  while  the  crew  is  recovering 
from  the  first  one.  Be  careful  to  identify  these.) 

e.  Was  normal  operation  restored?  How  long  did  it  take? 

f.  Was  safety  threatened  at  any  time? 

(1)  If  so,  what  was  the  nature  of  the  threat? 

(2)  Was  it  recognized  at  the  time? 

(3)  Who  recognized  it? 

(4)  How  was  it  recognized? 

(5)  How  long  did  it  last? 

(6)  What  was  done  to  control  or  minimize  the 
threat? 

(7)  Could  the  threat  have  been  controlled  more 
effectively? 

3 .  Background 

a.  If  pertinent,  describe  the  history  of  the  personnel 
involved  and  of  the  airplane  and  facilities  utilized 
in  this  flight. 

(1)  Nutrition  and  rest:  Describe  meals  as  to  time 
eaten  and  type  of  food  and  sleeping  time. 

(2)  Were  there  any  medical  or  physiological  problems? 


97 


(3)  Describe  the  crew's  rest  and  duty  schedule 
for  this  flight  sequence.  Was  this  flight 
their  scheduled  activity? 

a)  Do  the  pilots  believe  the  duty  or  rest 
schedule  was  a  factor? 

b)  Describe  their  activities  during  the 
preceding  day. 

(4)  Were  there  any  problems  within  the  flight 
crew  with  respect  to  discipline,  coordination, 
ability,  personality  factors? 

(5)  Were  there  any  other  problems  (ground  support 
personnel,  controller,  memagement,  others)? 

(6)  Were  any  other  factors  pertinent  during  the 
period  prior  to  flight? 

b.  Describe  in  brief  the  history  of  this  flight  prior 

to  the  occurrence.  Emphasize  any  decisions,  actions, 
events  or  omissions  which  might  have  been  related 
to  the  later  anomaly. 

(1)  Was  servicing  and  ground  support  normal? 

(2)  Were  there  einy  supervisory  problems? 

(3)  Were  there  any  ground  or  flight  delays? 

(4)  Were  there  any  problems  at  the  depaurture 
airport? 

(5)  Were  there  any  air  traffic  control  or  aiirways 
facilities  problems? 

(6)  Was  weather  a  problem  at  any  time?  If  so,  how? 
Analysis  and  recommendations 

This  section  should  contain  only  the  opinions  cuid 
recommendations  of  the  person  reporting  the  occurrence. 

a.  Was  the  situation  evaluated  correctly  when  the 
anomaly  was  detected? 

(1)  If  so,  were  euiy  special  factors  responsible? 

(2)  If  not,  why  was  the  evaluation  incorrect? 

(3)  Could  anything  have  improved  the  accuracy  of 
the  evaluation? 

b.  Was  the  detection  of  the  anomaly  as  prompt  as  it 
should  have  been? 

(1)  If  so,  were  any  special  factors  responsible? 

(2)  If  not,  why  was  there  a  delay  in  detection? 

(3)  Could  anything  have  improved  the  speed  of 
detection? 


c.  Was  the  recovery  from  the  deviation  the  most 
effective? 

d.  Was  there  any  problem  in  flight  crew  management  or 
coordination?  Describe  any  deficiencies,  problems 
or  comments  in  detail. 

e.  Was  the  entire  flight  managed  professionally  and 
effectively? 

(1)  If  not,  what  might  have  been  done  better? 

f.  Was  Air  Traffic  Control  involved  in  any  way? 

(1)  If  so,  was  the  problem  due  to  ATC  handling  or 
instructions? 

(2)  If  so,  was  there  ciny  flight  crew  misunder¬ 
standing  of  ATC  handling  or  instructions? 

(3)  Did  ATC  do  anything  to  minimize  the  problem? 

g.  Was  any  airplane  system  involved? 

(1)  Did  maintenance  contribute  to  the  problem? 

h.  Was  this  a  fairly  common  problem? 

i.  Was  pilot  training  adequate: 

(1)  To  have  prevented  this  occurrence? 

(2)  To  correct  or  control  it  under  these 
circumstances? 

(3)  To  cope  with  it  under  all  circumstances? 

j .  Were  any  of  the  following  involved  in  any  way? 

If  so,  how? 

(1)  Flight  crew  supervision? 

(2)  Flight  dispatch? 

(3)  Flight  or  ground  support? 

(4)  Other? 

5.  Supplement  (for  interviewer  only) 

a.  Was  the  reporting  person's  memory  entirely  clear 
as  to  the  details  of  this  occurrence?  If  not,  in 
what  areas  did  he  have  difficulty  remembering 
details? 

b.  In  your  opinion,  did  this  incident  pose  a  threat 
to  flight  safety?  If  so,  how  amd  why? 

c.  Add  amy  additional  comments  or  opinions  you  may 
have  as  to  the  factors  involved  in  this  occurrence 
and  as  to  measures  which  might  prevent  such  problems 
in  the  future. 


99 


After  collecting  the  data  by  the  methods  given 
above,  we  can  analyze  the  data.  The  sample  size  must  be  as 
large  as  possible  for  categorization.  Table  X  is  the  classi¬ 
fication  of  pilot-error  experiences  as  a  result  of  analyzing 
the  data.  This  is  just  an  example  to  show  how  to  amalyze 
the  data. 

In  summary,  the  CIT  is  used  as  a  method  of  dis¬ 
covering  and  attempting  to  reduce  or  control  hazardous  situa¬ 
tions  before  accidents  occur. 

In  effect,  the  CIT  accomplishes  the  same  end 
result  as  am  accident  investigation:  identification  through 
personal  involvement  of  a  hazard  that  has  or  could  result 
in  injury  or  damage.  The  CIT  has  been  used  in  evaluation  of 
pilot  safety  aind  has  proven  beneficial  as  a  qualitative 
safety  technique. 

D.  OTHER  STATISTICAL  METHODS 

In  general,  accidents  are  not  single  causation  events, 
rather  multivariate  factors.  So  we  can  use  mcmy  kinds  of 
statistical  methods  to  euialyze  the  data.  Multiple  regression 
emalysis  and  cluster  analysis  are  widely  used.  Different 
statistical  methods  can  be  applied  to  the  collected  data. 

The  following  is  an  example  of  the  use  of  statistical 
methods.  Suppose  it  is  important  to  determine  if  there  is 
a  statistically  significant  difference  between  the  pilot 
factor  accident  rates  of  experienced  and  inexperienced  pilots 


100 


Table  X 

Example  Classification  of  Pilot  Error  Experiences 


Type  of  Error 

Number  of 
Errors 

1 

Errors  in  interpreting  imlti-revoluticn  instruments 

a.  Errors  involving  an  instmnent  which  has  more 
than  one  pointer  (e.g.,  misreading  the  altimeter) 

b.  Errors  involving  an  instrtment  which  has  a 
pointer  and  a  rotating  died,  viewed  through 
a  window  (e.g.  /  misreading  the  tachcmeter, 
adr-speed  indicator) 

2 

Substitution  errors 

a.  Mistaking  one  instrument  for  another 

b.  Ccnfxasing  which  engine  is  referred  to  ty 
instrument 

c.  Difficulty  in  locating  an  instrument  because 
of  unfamiliar  arrangement  of  instruments 

3 

Reversal  errors  (e.g.,  reversals  in  inte^reting 
the  direction  of  bank  shcxoi  in  attitude  indicator, 
reversals  in  interpreting  direction  from  ocnpasses) 

4 

Errors  due  to  illusions;  Faulty  interpretation  of 
the  position  of  an  aircraft  because  bo<^  sensations 
do  not  agree  with  what  the  instruments  show 

5 

Using  an  instnmait  that  is  inoperative 

- 

6 

Signal  interpretation  errors;  Failure  to  notice 
a  warning  light  in  the  aircraft,  or  confusing 
one  warning  light  with  another 

101 


(in  this  case,  the  "experience"  and  "inexperience"  would  have 
to  be  defined) .  Choose  some  time  frame  emd  let 


h,  *  number  of  flight  hours  flown  by  experienced 
pilots 

h^  =  number  of  flight  hours  flown  by  inexperienced 
pilots 

a,  =  number  of  pilot  factor  accidents  involving 
experienced  pilots 

a-  =  number  of  pilot  factor  accidents  involving 
inexperienced  pilots. 

Then  the  rates  for  experienced  and  inexperienced  pilots  are 
(a^  X  100 , 000) /hj^  and  (a^x  100 , 000) /h2 ,  respectively.  We 
want  to  test  the  null  hypothesis: 


Hq:  There  is  no  difference  in  accident  potential 
between  experienced  and  inexperienced  pilots 

Not  Hq 


Testing  Hq  aunounts  to  testing  a  hypothesis  about  the  success 
probability  in  a  binomial  distribution.  Let  a  and  h  be  the 
number  of  accidents  and  time,  respectively,  for  the  group 
with  the  larger  accident  rate  (e.g.,  a  =  a^  and  h  =  h^,  if 
the  experienced  pilots  had  the  higher  rate) . 

Let 


P  = 


n 


ai  a2, 


We  will  reject  Hq  if  p  and  p  differ  too  much.  Compute 
T  =  P(X^a),  where  X  has  a  binomial  distribution  with 
pairameters  n  auid  p.  Thus, 


T 


nl 

i ! (n-i)  1 


1,,  vH-l 

p  (1  -p) 


i=a 


Let  a  be  the  significance  level  of  the  test  (e.g.,  a  =  0.05). 
If  T  >  a/2,  then  accept  Hq.  That  is,  we  would  conclude  that 
there  is  not  sufficient  evidence  based  on  this  data,  to  say 
there  is  a  difference  between  experienced  and  inexperienced 
pilots.  If  T  ^  a/2,  then  reject  Hq  and  conclude  {at  signifi¬ 
cance  level  a)  that  there  is  a  difference  between  experienced 
and  inexperienced  pilots. 

The  aibove  test  is  an  example  of  a  two-sided  test.  It  is 
designed  to  answer  the  question,  “Is  there  a  difference 
between  experienced  and  inexperienced  pilots?"  A  one-sided 
test  could  be  done  to  answer  the  question,  "Are  experienced 
pilots  safer?"  The  null  hypothesis  in  this  case  would  be: 

H_ :  experienced  pilots  are  not  safer  than 
inexperienced  pilots 

/s 

For  this  case,  let  a  =  a^  and  h  =  h^,  and  compute  T,  p,  p, 
and  n  according  to  the  same  formulas  as  before.  We  will 
reject  Hq  if  p  is  much  Icurger  than  p.  If  T  >  a,  we  accept 
Hq.  That  is,  we  conclude  that  there  is  not  sufficient  evi¬ 
dence,  based  on  this  data,  to  say  that  experienced  pilots 
are  safer  (with  signif icauice  level  a)  .  If  T  ^  a,  then  re¬ 
ject  Hq  and  conclude  (at  significance  level  a)  that  experi¬ 
enced  pilots  are  safer. 


103 


V.  CONCLUSIONS/RECOMMENDATIONS 


Aircraft  accidents  are  rarely  caused  by  a  single  factor. 
Generally,  accidents  are  the  end  result  of  system  deficien¬ 
cies,  human  error  and  design  deficiencies  coming  together 
simultaneously.  The  most  commonly  designated  cause  of  acci¬ 
dents  is  human  error.  For  flight  safety,  a  systematic  acci¬ 
dent  prevention  program  should  include  consideration  of  all 
possible  sources.  Accident  prevention  is  best  pursued  within 
the  framework  of  this  program.  There  are  certain  fundamental 
concepts  and  methods  which,  if  properly  applied,  Ccui  increase 
the  probability  of  success  in  the  detemination  of  factors 
contributing  to  an  accident.  Several  methodologies  for  the 
measurement  of  flight  safety  and  data  collection  have  been 
proposed  in  this  thesis  for  inclusion  in  the  K.A.F.  safety 
progreun. 

The  primary  goal  of  accident  prevention  progam  is  to 
prevent  mishaps.  Therefore,  the  K.A.F.  needs  to  develop 
a  safety  progrcun  based  on  the  following  data  collection  and 
cinalysis  methods; 

1.  Develop  a  format  which  will  describe  each  element 

(e.g.,  pilot,  maintenance,  supervisory  error,  material 
failure)  in  detail.  For  example  the  U.S.A.F.  has 
developed  a  system  for  accident  data  collection  (see 
Appendix  C)  which  provides  for  a  comprehensive  con¬ 
sideration  of  variables  involved  in  flight  safety. 

The  following  elements  are  contained  in  the  U.S.A.F. 
data  collection  system; 

a.  Ground  mishap  report. 

b.  Aircraft  flight  mishap  report. 


104 


c.  Aircraft  maintenance  and  material  report. 

d.  Life  sciences  report  of  an  individual. 

e.  Psychophysiological  cind  environmental  factors. 

f.  Personal  data. 

2.  K.A.F.  needs  to  consider  the  application  of  the 
critical  incident  technique  (CIT)  as  described  in 
Section  IV  to  collect  and  analyze  data.  CIT  is 
used  in  evaluation  of  flight  safety  and  as  a 
qualitative  safety  technique. 

3.  Use  the  format  of  system  safety  hazard  cinalysis  (SSHA) 
for  fault  tree  analysis.  In  system  safety  analysis, 
the  results  of  SSHA  should  be  used  to  determine  what 
safety  requirements  are  needed  to  minimize  and  con¬ 
trol  hazards  to  cm  acceptcQsle  level.  The  SSHA  should 
be  accomplished  by  a  systematic  evaluation  of  each 
subsystem  /component  to  determine  how  much  each 
element/subsystem  could  potentially  contribute  to 

a  specific  hazard.  A  sample  format  of  SSHA  reporting 
is  shown  in  Appendix  D. 

4.  Finally,  the  following  fundamental  data  should  be 
filed  in  the  computer  for  use  in  a  safety  analysis 
and  program  evaluation. 

Group  data 

(1)  Total  number  of  pilots  engaged  in  flying  by 
month  and  year. 

(2)  Flight  time  of  Command,  Wing,  and  Squadron  in 
month  and  year  by  model. 

(3)  Total  number  of  accidents  in  month  and  year  by 
Command,  Wing,  and  Squadron. 


Pilot 

a.  Biographical  data 

( 1 )  Name 

( 2 )  Rank 

(3)  Date  of  birth 

(4)  Date  of  graduation  from  undergraduate 
flight  training 

(5)  Wing  and  Squadron  assigned 

(6)  Total  flight  time 

(7)  Total  jet  time,  conventional  aircraft  time, 
helicopter  time 


105 


(8)  Total  instructor  time 

(9)  Total  weather/instrument  time 

(10)  Number  and  type  of  accidents  the  individual 
has  had. 

b.  Accident  data 


(1) 

Name  of  personnel  involved 

(2) 

Date  of  occurrence 

(3) 

Type  of  mission 

(4) 

Phase  of  mission 

(5) 

Duration  of  flight 

(6) 

Type  of  accident 

(7) 

Prime  and  contributing 

factor 

(8) 

Days  since  last  flight 

(9) 

Hours  flown  in  last  24 

and  48  hours 

(10) 

Sorties  flown  in  last 

24  and  48  hours 

(11) 

Hours  flown  in  last  7, 

30,  60,  and  90 

(12) 

Total  time  in  this  aircraft  type 

In  addition,  similar  data  should  be  collected  on  main- 
tainers,  supervisors,  air  traffic  controllers,  etc. 

Aircraft 

( 1 )  Mode 1 

(2)  Total  flight  time 

(3)  Date  of  last  major  inspection 

(4)  Flight  time  since  last  major  inspection 

Accident  research  is  a  systematic,  empirical,  and  critical 
investigation  of  associated  factors  and  their  relationships 
in  an  accident.  For  this  research,  reliable  and  valid  acci¬ 
dent  data  are  necessary.  If  the  data  are  collected  in  detail 
and  correctly  by  the  formats  and  techniques  proposed,  it  will 
provide  a  convenient  method  for  a  researcher  to  use  in  the 
development  and  application  of  a  safety  program.  For  example, 


106 


the  analysis  of  the  variables  or  causal  factors  of  aircraft 
accident  such  as  hunan  error,  material  failure  or  malfunc¬ 
tion,  and  adverse  influences  of  the  environment  on  man  and 
machine  will  allow  the  researcher  to  develop  an  analytical 
model  for  a  specific  mishap.  There  are  several  multi¬ 
variate  statistical  techniques  (e.g.,  factor  and  component 
analysis,  cluster  analysis,  regression  analysis,  etc.)  to 
analyze  the  accident  data.  These  techniques  can  be  used  to 
determine  significant  interrelationships  and  to  correct  sys¬ 
tem  inadequacies  (i.e.,  what  caused  or  allowed  the  accident 
to  happen).  Also,  remedial  actions  {i.e.,  what  can  be  done 
to  preclude  the  occurrence  of  an  accident)  will  be  proposed. 

Finally,  application  of  the  findings  and  recommendations 
are  needed.  Qualified  investigators,  researchers,  and  safety 
officers  are  necessary  at  each  level  of  organization  (Figure 
21)  and  a  feedback  system  should  exist  between  and  within 
each  level.  If  a  mishap  occurs  (here  mishap  includes  major, 
minor  accident,  incident,  and  near  miss) ,  it  has  to  be  inves¬ 
tigated  and  reported  by  a  reporting  system  to  Air  Force  Head¬ 
quarters  Safety  Section  through  the  Command.  In  the  H.Q. 

Safety  Section  the  data  must  be  encoded,  analyzed,  auid  recommen¬ 
dations  made  known  by  the  dissemination  of  mishap  results 
and  findings  should  be  passed  to  Wing  and  Squadron  through 
the  Command.  The  Squadron  must  then  take  action  on  this 
recommendation.  The  recommendations  including  general  trends 
of  mishap  components  must  be  passed  monthly  to  Wing  and  Squadron. 


107 


Action 


Activit’ 


Appendix  E  is  a  sample  trend  chart  developed  by  the  U.S.A.F. 
and  applicable  to  the  K.A.F. 

The  safety  program  described  in  this  thesis  possesses 
the  potential  for  reducing  overall  operational  costs  and 
maximizing  aircraft  availaibility .  The  end  result  of  such  a 
progrcun  can  only  serve  to  increase  operational  readiness 
and  thereby  maximize  overall  efficiency  and  military  capa¬ 
bility  of  the  K.A.F. 


109 


APPENDIX  A 


BOOLEAN  LOGIC  AND  ITS  APPLICATIONS 

Boolean  algebra  was  developed  ortqinallv  for  the  ttudv  o(  symbolic  logic.  Its  rules  and  expressions  in  maihem.nirai  svmtiois 
permit  complicated  praposil>ons  to  be  clarified  and  simplified.  Boolean  algebra  is  especially  useful  where  conditions  can  be 
expressed  m  no  more  than  two  values,  such  as  yes  or  no,  true  or  false,  on  or  off,  up  or  down,  go  or  no  go  It  has  fnuml  wnin 
application  in  areas  other  than  symbolic  logic.  For  example,  it  is  used  extensively  in  the  design  of  computers  and  other 
electromechanical  assemblies  incorporating  large  nombersof  on-off  (switching)  circuits.  Other  uses  are  m  prohahility  analysis 
studies  involving  decision  maxing,  and  more  recently,  in  safety  and  fluidics.  The  chief  difference  between  the  various  disrinlmes 
in  their  employment  of  Boolean  algebra  is  in  notation  and  symbology.  Since  the  information  in  this  section  presents  basic 
elements  only,  expressions  most  commonly  found  in  safety  anaiyses  will  be  used. 

A  isi  is  a  group  of  obfects  having  at  least  one  characteristic  in  common.  The  set  may  be  a  collection  of  obiects,  conditions 
events,  symbols,  ideas,  or  mathematical  relationships.  The  unity  of  a  set  can  be  expressed  by  the  number  1 ,  and  an  empty 
set.  which  contains  none  of  these,  by  0.  The  numerals  1  and  0  are  not  quantitative  values:  1  <•  1  does  not  equal  2  They  am 
merely  symbols.  There  are  no  values  between  the  two  as  there  are  in  probability  calculations.  Set  relationships  are  sometimes 
illustrated  by  Venn  diagrams.  The  following  rectangle  represents  a  set  of  elements  that  have  an  undefined  common  characiensi  c 
*"  *  idb***  ftas  the  characteristic  A.  All  other  elements  in  the  set  do  not  have  the  A  characteristic  and  are  considnred 

being  "not  A,"  designated  by  A.  A  is  the  complement  of  A,  and  vice  versa.  It  can  be  seen  that  the  total  of  A  and  A  is  the  r  ompieie 
set,  expressed  mathematically  by  A  +  A  1 .  where  the  left  side  of  the  equation  is  the  union  of  A  and  A  .  The  »  sign  is  read 
"Ofl".  and  may  be  designated  in  mathematical  expressions  by  other  symbols,  such  as  U. 


The  second  diagram  illustrates  the  concept  of  disjoint,  or  mutually  exclusive,  sets.  The  elements  of  one  subset  are  not  im-iudeil  m 
the  others,  and  therefore  are  not  interrelated  (other  than  being  in  the  same  set)  In  this  case,  however,  because  A,  B  and  C 
contain  all  the  elements  in  the  overall  set,  they  are  said  to  he  mutually  exclusive  and  exhaustive  A  *  B  ♦  C  ’  1 

The  third  diegram  indicates  that  some  elements  of  A  also  have  B  characteristics  These  are  indicated  by  AB  A  B  or  A  B. 
called  the  intersection  of  A  and  B  The  intersection  contains  all  the  elements  with  the  characteristics  ol  both  A  and  fl  When 
all  elements  with  the  characteristic  A  are  counted,  those  in  AB  will  also  be  counted.  The  remaining  diagrams  m  the  -nw  iliustrxie 
some  of  the  relationships  between  union,  intersection,  and  complement.  Numerous  other  relationships  ihai  ran  lv>  •  mpiovcd 
in  mathematical  expressions  have  been  developed,  some  of  them  having  been  designed  as  lawj.  These  are  listed  below,  with  some 
explanations  on  their  meaning  in  Boolean  logic. 


RELATIONSHIP 

LAW 

EXPLANATION 

A  1  =  A 

Full  and  Empty  Sets 

Tht  only  ooftmn  w«thm  \  that  boib  1  and  A 
that  wirhin  A  ttsalf 

A  0  ’  0 

An  impo^^ible  rondition,  tf  it  is  withm  »t 

cannot  he  outside  the  set 

A  ••  0  e  A 

The  pjpment  m  a  subset  plus  anything  ont^id«»  th# 

Wiil  have  only  the  characteristics  of  the 

A  +  1  ’  1 

The  whote.  evtiressed  hy  1 .  cannot  ho 

Involution  Law 

The  COmnlPmPol  of  the  conmlnfnrnt  is  thr  ttsM'i  itsntf 

A  A  -  0 

Complementary  Relations 

An  impossihilit  v;  a  conrttiion  cannot  h#»  both  A  A 

at  the  same  nme. 

A  ►  A  ’  1 

Those  piofTients  ^ifh  a  spetdic  charart^r  »stir  .mil 
tho<e  wirbofit  ft  consfftiite  the  fotat  snt 

A  A  -  A 

Idemootent  Laws 

An  identity 

A  ‘  A  •  A 

Also  an  identity 

A  B  BA 

Commutative  Laws 

The  elements  having  t)oth  rhararo»f  istirs  havr  ilif'*n 
no  matter  itm  order  in  whit-h  Pvnmssrd 

110 


RtL  AIIUNSHIP 


LAW 


EXPLANATION 


AIBC)  =  (A  0)C 


A  •  (B  *  C)  =  (A  ♦  Bl  ‘  C 


A(B  *  C)  =  (A  B)  »  lA  C) 


A  MBCI  »  (A  «•  B)  (A  ♦  Cl 


A(A  *  B1  *  A 


A  »  (A  8(  *  A 


A  +  8  ^  A  8 


Associative  Laws 


OistriTjulive  Laws 


Absorption  Laws 


Oualuation 

Ide  Morgan's)  Laws 


The  total  ol  itiose  eleinvins  li,ivMii|  il.i  ■  Ii.u.h  id . 

A  or  B  will  tic  ttie  same  no  nditd  Hi»-  mild  n 
winch  they  ate  eniiressetJ 

The  elements  having  all  the  chaiai  idisiii.s  A  B  .n  o 

C  will  have  them  no  matter  the  miler  m  wim  n  .■■pri-odl 

The  total  ol  all  the  elements  m  aiw  .niriets  win  he 
the  same  no  matter  the  order  m  winch  e«nipsseil 

The  union  ol  one  subset  with  Iwu  oihers  can  aKu  im 
expressed  as  the  union  ol  then  mieisi'clions 

The  union  of  one  subset  with  the  iniei section  nl  iwo 
others  can  also  be  expressed  bv  the  rnterseclion 
ol  the  unions  ol  the  common  subset  with  the  oitiei 
two. 

AIA  +  B)  •  AA  ♦  AB  =  A  ♦  AB  since  AA  -  A, 

A  *  AB  e  All  +  Bl  *  A  since  B  is  included  m  1 

A  +  lA  BI  •  A  +  AB  -  All  +  B)  -  A. 

The  complement  ol  an  intersection  is  the  union  of  the 
individual  complements. 

The  complement  of  the  union  is  the  intersection  ol  the 
complements. 


Other  useful  identities  are  frequently  used  for  simplification  of  complex  Boolean  equations.  Four  of  these  are; 


Identity 
A  e  AS  e  A  >  B 
A  (A  <■  8)  •  AB 

(A  ♦  BIIA  +  C)  (A  +  0  •  AC  t-  BC 


AB  ♦  AC  +  0C  •  AB  ♦  AC 


Deriyatlon 

Using  the  Distributive  Law;  (A  +  AI(A  +  B)'A*B 
Using  the  Distributive  Law:  A  A  +  aB  °  AB 

Expanding  the  last  two  terms:  (A  +  B)  (A A  ♦  AC  ♦  AC  »  CC).  CC  ‘  C. 
AA  *0.  AC  *  AC  e  CIA  ♦  A)  *  C(1 1  »  C.  and  C  ♦  C  -  C. 
remainder  is  (A  +  B)C.  or  AC  +  BC. 

This  can  be  simplified  by  adding  a  term  such  as  A  A  The  left 
hand  side  then  becomes:  AB  +  AC  ♦  BC(A  »  Al  -  AB  1 1  *  Cl  ‘ 

ACI1  +  81  •  AB  +  AC. 


GATE  (CONNECTIVE!  SYMBOL 


EXPLANATION 

The  OR  connective  indicates  that  when  one  or 
more  of  the  inputs  or  governing  conrlitions  is 
present,  the  statement  will  be  true  or  an  output 
will  result.  Conversely,  ihe  statement  will  be  false 
if,  and  only  il,  noneol  the  governing  conditinns 
is  present. 


TRUT.4  table 
A  *  0  OR. 

0  0  0  IFalsel 

0  1  1  ITruel 

I  0  1  ITruel 

I  I  I  ITruel 


AND 


NOR 


NANO 


The  AND  connective  indicates  that  alj  ol  the 
governing  conditions  orenputs  must  be  present 
lor  a  statement  to  be  true  If  one  of  the  conditions 
or  inputs  IS  missing,  the  Statement  is  false 


A  8  And 

0  0  0  iF.ilsel 

0  I  0  iFaKwl 

1  0  0  iFalsel 

1  1  1  ITruel 


The  NOR  connective  may  be  considered  a  "not  OR"  A  *  B  .  NOR 

stele  It  indicates  that  when  one  or  more  of  the  6  0  I  (Truel 

inputs  IS  present.  Ihe  statement  will  be  lalse  or  no  0  t  0  iFalsel 

output  will  result  When  none  ol  Ihe  inputs,  neither  1  0  0  IFalsel 

A  nor  B.  IS  present,  an  output  will  result.  I  I  0  IFalsel 


The  NANO  connective  indicates  that  when  alj  of  the 
inputs  or  governing  conditions  or  inputs  are  not 
present.  Ihe  statement  will  be  true  or  there  will  be 
an  output  When  ell  of  the  inputs  or  governing 
conditions  a!2  present,  the  statement  will  be  falsa 
or  there  will  be  no  output. 


A  B  NANO 
0  0  1  ITruel 

0  1  1  ITruel 

t  0  1  (Truel 

1  1  0  IFalsel 


111 


vibration 


lot  Error 


Liaited  \  /  Inadequate 

Experience  |  (  Ttaininq 


Inadequate 


Fuel  System 
Failure 


APPENDIX  C 

REPORTING  FORMATS  FOR  DATA  COLLECTION 


r«4/cow» 


AIRCRAFT  FLIGHT  MISHAP  REPORT 

(To  fJilfJ  out  tor  pnittipoi  Qir<ruft  ic>oroQn<it«  \temt  u*tt%-  nmutJ  tUfJ  out  ^/t  tecu'it/ari-  Jtrerjft  / 


M»«MA#  CCASa 

G  A  □  • 

□  C  Q  OC»T 


4  UNIT  COMTnOk  NO 


^<LOT<S)  INVOLVED  IElIGHT  CPEWr 


OACAATOO  AT  CONTAOlS 


A  i.A«T  NAMS.  INir»At.9 


AOSlTION  IN  AlACNAVr  AT  TIMI  MiSHaA 


I  ACAA  SCAT  AtOMf  SCAT 


O.  NATIONALirV 


a.  MA4COM.  NAA.  OlV.  «VO.  SO  ATTACMCO  AOA  AUVINO 


OTHCA  Alcor 


A.  CAST  NAMC.  INITIALS 


•  .  COMAONCNT 


AOSITION  IN  AIACAAAT  AT  TiMC  OA  MISnaA 

|u«rT..«T|  1«.cht, 


o  nationality 


r.  MAJCOM.  NAA.  OlV.  WO.  SO  ASSIONCO 


O.  MAiCOM.  NAA.  OIW.  wO.  SO  ATTACHCO  AQA  ALTINO 


OTHCft  AlLOr 


•  .  COMAONCNT 


AOSiriON  IN  AIOCAAAT  at  TIMC  VISHAA 

rnnEHii 


c«»T  ,,Ar 


AlOHT  SCAT 


o  nationality 


O.  MAiCOM.  NAA.  OlV.  WO.  SO  ATTACHCO  AON  ALTINO 


OTMCO  AILOT 


A.  LAST  NAM8.  INITIALS 


0.  COMAONCNT 


€.  _ AQSiTlQN  IN  AIOCWA^T  AT  TIMC  Q>  MiSHAA 

^OONTSSATf  I  lSAT  S€At|  [  ACAO  SCAtj  }  NIONT  SCAT* 


O.  MAiCOM.  NAA.  OlV.  WO.  SO  ATTACHCO  AON  ALTINO 


clearance 


]  Pattq  i^  I  I  OIWCCT  f  T 


jjEfEEEninn 


AINW  ATS 


OURATION  OP  PLIGHT 


IS.  TTAC  OA  MISSION 


44.  AMASS  OA  OACMATION 


oilc 


nBTtT^ 


OVMC  OsiMVLArSO  IMC  OrOAMSITtOM 

OlMC  OONTOA  OvAN  IN  IMC  CONOITIONS 


AlMAlCLO  DATA  AAAliCASLC  TQ  TACCOAP  ANQ  LANOiNG  MISHAAS  OCCUNNINC  WITHIN  3  MILES  OA  AlAAlCLO 


A.  AlCLO  SLSVATION  tf  fff/ 


Q  asanalt  O  concnsts  Ootncn^JatwA-/ 


.  OIST.\NC8  OA  rOUCHOO 
AMOM  NUNWAT  thtttt 


SUAPACC  CONDITION 


noNT  Qnmr 


OTMCN  tSprct/x  ! 


.  COMAOSITIO 


(S^tttfyt 


IIHHBii 

nnniimiii 

*■  CONOITIONS  AAACCTINO  OCCWNCNCC  tl-nr  rxtmptf.  t\pr  of  Itphttup  opp^PCh  ust4.  Ownw  4trtpt*^.  f  AiM 

•r<TrAr.  fmUtmt 


rA«n  t.oir  tnn.ltr-.l  it  h^hti 


!  A-fv.-pr  t^mr  mUirmonon  oii>J»nonol  iliref  •>tr  *‘4tH 


120 


AIRCRAFT  MAIMTEMAWCE  ANO  MATERIEL  REPORT 


122 


^cftsoNAt  Data 


f^VSlOLOaiCAi.  AMO  VCIITIOO  TtAtNINC  rr*r  *11 


ceCMAlltMCO 


^CACC  ACCOMAtitNI» 


COMfLITfO  I  BOLC < 


AVIATION  SCHOOUS  ATTCnOCO  SINCC  aNAOUATlON  Ut»9f 


i,  fAYiNo  ci^cmcNCC 

•/  im4i9t49mt  Hwim$  •m09*t9m90  ••  9miti094  kr  AM  I1T>» 


•  •  roVAt  «««UBV  (ImmimStmt  AW  c«««.  •#«#•»«  nW  I  C.  '9TBt  rtwc  rwit  «)BC**Br 

•rA«r  I 


fi««r  Bfi«r  *«o 
IKtT«uCT9t  PikOt  mat. 


Aii  A(A€«ABT 


mis  AIVCffABT 


OA»C  9f  \.a%f  C*ifCW 


%.  (MTAvvfVf 


ic>r<BCT 


AVtATtON  5CAV<CC  COOC  AM*>  firtsn  K^IVITV  CATfOOWy  mj/i.  CTC.I 


*•€» I 

•  Mb  » Ov » 


•  •  «•  tm00Pt0mr 

t  >  TBAlAlMf 


i  *  fratmtmt  •••••Afv  A'tAeA  •#  traimtmi  p0»0mtt9 

9  ■  t»rt  #/  fartmt  •  - 


4 


tire  $CI£MC€S  R€fOt9rOf  AN  fNOfVtOUAt.  fNVOlViD  IN  AN  Af  ACClOf  NT/INCIOCNT 
SECTION  A,  AlACftAFT  ACCIOCNT/tNClDENT 

tTHtS  FOAM  tS  AFhfCTHJ  nv  rift  nvii  ir»  ir* /U/.-j  %tF  !  AfT^ACF) 


I  IB 


EOHlftrU] 


:.C'.o  coNO 


riMC  at  C*tlN  A^Tt  njOC 


9  TIMC  AT  UAAltHr 

ALTt  TjjOC 


i-nAjoa 


l-iiiiieft  4«V4rAi 


occiice  Of 


«•«>««* 


MCOICAI  INrOMATtCil 


t*«ii 

I  ••  ••Ou<«OIO>eut*T<  9  ijMCOvSC  C.S.OCA* 

I  MPW«S 

••MidiMAC 


INCUAACO  ( l,»*  »t4m4»fa  '>«•*«>«■« 

tMPtian  •f  I)  £>f«fA«i  C«m««  •'Li'** 

#Aa««  9f  mi4f>40,  aaP  Ff«0i4mt  S)  Afm  lif-t  'ct 


A. 

MATgNC  ANO  VOCATION 

1. 

INTCNNAV  CAUfC 

c. 

kT«.  ANO  T«OOV(NO 

«.  ««tupc  t.ec4rio« 

«.  (ircPNA^  CAusc 

C.  vocation.  OmAIC  OA  NIlHAAf.  ANO  ••QOVCNS 


A.  NAtgCC  ANO  VOCATION 
C.  tlTCONAV  CAuSf 

C.  VOCATION.  AWAIf  OT  «l SNAOt.  AnO  'OOtVCNO 


A.  NATUOC  ANO  VOCATION 
0.  CiTfONAV  CAUSC 

C.  VOCATION.  TmAIC  OT  NIlNAO*.  ANO  ••OOVlMt 


A.  NATgOI  ANO  VOCATION 
0.  CATCMAV  CAUll 

C.  VOCATION,  TwAff  OT  NlfNAOS.  ANO  *OOOVfNt 


VA»  TC$TtNO 


otnco  r JoAAiTfj 


•  •NAT  NCSuvro 


EB33EBQ3Qa 


•NNgAvl  9iCB 

CAW 


AUTOfSV  CONOUCTCQ  IT 


r«rii«vf  fwACiON 


C*eiT«VIAN 
•AfNOVOOl OT 


124 


126 


127 


HAZARD/ 


EVENT 


Descriptive 
short  title 


PHASE 


Program 
phase  in 
vghich  the 
hazard  may 
oocur,  e.g. 
ground 
operaticxi/ 
take  off, 
climb, 
in  flight, 
return 
to  base, 
landing 


CAUSE 


EFFECT 


CLASSI- 

FICAITCN 


Events  vMch  Descripticn  Hazard 
create  of  the  which  de¬ 
hazard  effects  of  pends  cn 

the  hazard  the 

on  both  effect. 

First  col 

and  equip- 
ment 


First  col. 
is  classi¬ 
fication 
of  hazard 
without 
any  cor¬ 
rective 
action  or 
minimizing 
provisions . 
The  second 
col.  is  the 
classifi¬ 
cation 
after  cor¬ 
rective 
action  has 
been  taken. 


CORRBCnVE 
Acncai/MINI- 
MI2ING  PHD- 

visic»e 


Description  of 
action  taken  to 
eliminate  or 
minimize  and 
control  the 
hazard.  All 
safety  design 
requirements, 
safety  proce¬ 
dures,  proba¬ 
bilities  of 
oocurrenoe, 
'safety  devices 
used,  and  any 
other  signifi¬ 
cant  action 
taken  to  mini¬ 
mize  and  ocn- 
trol  the 
hazards  should 
be  included  in 
this  colunn. 


FLYING  HQUPS  FOR  THIS  OUTPUT 


«S9 

11607 

10023 


107?3 

11754 

0725 


11036 

11090 

11137.7 


11533 

13665 

3080.57 


SLOPS  •  .342048443557 


INTERCEPT  ■  13.66263757 


CORRELfl T I OH  COEF-ICIENT  •  .139394294025 


90  %  CONFIDENCE  INT  FOR  SLOPE  •- 1 . 36992466635  TO  2.05402155306 


BIBLIOGRAPHY 


Adelfio,  S.A.,  and  Nolan,  C.F.,  Principles  and  Applications 
of  Boolean  Algebra,  Hayden  Book  Company,  Inc.,  1964. 

Ayoub,  M.A. ,  "The  Problem  of  Occupational  Safety,"  Industrial 
Engineering ,  V.  7,  No.  4,  p.  20,  April,  1975. 

Barlow,  R.E.,  Fussell,  J.B.,  and  Singpur  Walla,  N.D., 

Reliability  and  Fault  Tree  Analysis,  Theoretical  and 
Applied  Aspects  of  System  Reliability  and  Safety 
Assessment,  Society  for  Industrial  and  Applied 
Mathematics,  1975. 

Barlow,  R.E.,  and  Lambert,  H.E.,  "Introduction  to  Fault  Tree 
Analysis,"  Reliability  and  Fault  Tree  Analysis,  Society 
for  Industrial  and  implied  Mathematics,  Pp.  7-35,  1975. 

Barlow,  R.E. ,  and  Proschan,  F. ,  Statistical  Theory  of  Relia¬ 
bility  and  Life  Testing  Probability  Models,  Holt, 

Rinehart  and  Winston,  Inc.,  1975. 

Barnhart,  W. ,  Billings,  C.,  Cooper,  G.,  Gilstrap,  R. , 

Lauber,  J.,  Orlady,  H.,  Puskas,  B.,  Stephens,  W. ,  "A 
Method  for  the  Study  of  Human  Factors  in  Aircarft 
Operations,"  NASA  Technical  Memorandum,  Report  No.  A-6237, 
September,  1975. 

Brown,  D.B.,  Systems  Analysis  and  Design  for  Safety,  Prentice 
Hall, 

Chapanis,  A.,  Research  Techniques  in  Human  Engineering, 

Johns  Hopkins,  195^. 

DeGreene,  K.B.,  "Systems  Analysis  Techniques"  in  Systems 
Psychology  by  K.B.  DeGreene,  Pp.  81-85,  McGraw-Hill , 

Duncan,  A.J.,  Quality  Control  and  Industrial  Statistics, 

R . D .  Irwin,  Inc.,  1376. 

Flanagan,  J.C.,  "The  Critical  Incident  Technique,"  Psycho¬ 
logical  Bulletin,  V.  51,  No.  4,  Pp.  327-358,  July,  1954 . 

Gilmore,  C.,  Accident  Prevention  and  Loss  Control,  Americem 
Management  Association ,  Inc.,  197 b. 

Hammer,  W.,  Handbook  of  System  and  Product  Safety,  Prentice 
Hall,  Inc.,  1972. 


131 


Heschel,  M.S.,  "Hazards  Reduction  Improves  Safety,"  Indus- 
trial  Engineering ,  V.  6,  No.  3,  Pp.  8-10,  March,  1974. 

Johnston,  W.L.,  and  Rogers,  T.R.,  "Measuring  Safety 

Performance,"  Industrial  Engineering ,  V.  7,  No.  12, 

Pp.  19-21,  December,  1975 . 

Kogler,  K.J.,  Identification  of  Critical  Failures  and  Cost 
Effective  Reliability  Improvement  Approaches,  U.S.  Army 
Aviation  System  Command,  June,  1976. 

Lambert,  H.E.,  "Measures  of  Importance  of  Events  and  Cut 

Sets  in  Fault  Trees,"  Reliability  and  Fault  Tree  Analysis, 
Pp.  77-100,  Society  for  Industrial  and  Applied  Mathe- 
matics,  1975. 

Lindsey,  G.D.,  and  Brown,  W.R.,  Analysis  of  FY  78  Army 

Aircraft  Accidents,  U.S.  Army  Safety  Center,  May,  1979, 

Lowrance,  W.W.,  Of  Acceptable  Risk,  William  Kaufman,  Inc., 
1976. 

Miller,  C.O.,  "The  Design-Induced  Part  of  the  Human  Error 
Problem  in  Aviation,"  Journal  of  Air  Law  and  Commerce, 

V.  42,  Pp,  119-131,  Winter,  1976. 

Peterson,  D.,  Techniques  of  Safety  Management,  McGraw-Hill, 
1971. 

Ricketson,  D.S.,  Kennamore,  J.R.,  and  Callen,  J.R. ,  Pilot- 
Error  Accidents  Aren't  All  Pilot,  U.S.  Army  Agency  for 
Aviation  Safety,  May,  1975. 

Rogers,  W.P.,  Introduction  to  System  Safety  Engineering, 

John  Wiley  and  Sons,  Inc.,  1971. 

Rol2Uid,  H.E.,  Safety — An  Investment  Alternative,  The  Safety 
Center,  University  of  Southern  California,  1975. 

Simonds,  R.H.,  and  Grimaldi,  J.V.,  Safety  Management,  R.D. 
Irwin,  Inc.,  1963. 

U.S.  Air  Force,  "The  U.S.  Air  Force  Mishap  Prevention 
Program,"  A.F.  Regulation  127-2. 

U.S.  Naval  Safety  Center,  Handbook  for  Aircraft  Accident 
Investigation ,  1973. 

U.S.  Navy,  "The  Naval  Aviation  Safety  Program,"  OPNAV 
Instruction  3750,6,  October,  1980. 

Warwick,  W.B.,  Rear  Adm.,  "Human  Factors  in  Navy  Safety," 
Invited  Presentation:  24th  Annual  Meeting  of  the 
Human  Factors  Society,  1980. 


132 


Worick,  W.W. ,  Safety  Education,  Prentice  Hall,  1975. 

Zeller,  A.F.,  "Accidents  and  Safety"  in  Systems  Psychology 
by  K.B.  DeGreene,  PP.  131-150,  McGraw-Hill,  1970. 


133 


INITIAL  DISTRIBUTION  LIST 


NO. 


1.  Defense  Technical  Information  Center 
Cameron  Station 

Alexandria,  Virginia  22314 

2.  Library,  Code  0142 
Naval  Postgraduate  School 
Monterey,  California  93940 

3.  Department  Chairmein,  Code  55 
Depaurtment  of  Operations  Research 
Naval  Postgraduate  School 
Monterey,  California  93940 

4.  Professor  D.E.  Neil,  Code  55Ni 
Department  of  Operations  Research 
Naval  Postgraduate  School 
Monterey,  California  93940 

5.  Cdr.  William  F.  Moroney,  Code  55Mp 
Department  of  Operations  Research 
Naval  Postgraduate  School 
Monterey,  California  93940 

6.  Professor  M.H.  B2uik,  Code  034Bt 
Department  of  Aviation  Safety  Programs 
Naval  Postgraduate  School 

Monterey,  California  93940 

7.  Republic  of  Korea  Air  Force  Chief  of  Staff 
Air  Force  Headquarters 

Seoul ,  Korea 

8.  Republic  of  Korea  Air  Force  Flight  Safety  Section 
Air  Force  Headquarters 

Seoul,  Korea 

9 .  Ma j .  Chong  Kwan  Lee 

144-88  Jangwee-Dong  Sungbuk  Goo 
Seoul ,  Korea 

10.  Cdr.  Lewis  E.  Waldeisen 

Navy  Biodynamics  Laboratory 
Box  29407 

New  Orleans,  Louisiana  70189 


Copies 

2 

2 

1 

1 

1 

1 

1 

1 

1 

1 


134 


11.  Lt.  Col.  Lockhert 

Air  Force  Inspection  amd  Safety  Center 
Norton  Air  Force  Base,  California  92409 

12.  Lt.  M.J.  Pianka 

Naval  Safety  Center  Code  1212 
NAS  Norfolk,  Virginia  23511 


